7 Risk Management Insights for Social Engineering and Ransomware Threats

By: | March 4, 2022

Tim is the Director of Cyber Risk at IMA, Inc. Areas of focus include creation of custom risk transfer programs based on industry segment, loss control solutions and fostering partnerships with service providers. Tim has over 20 years of experience underwriting and selling Cyber insurance. He can reached at [email protected]

Possibly one of the biggest misconceptions about cyber risk is that the companies with a vast amount of confidential data are the most common targets of cyberattacks.

However, in the last few years, we’ve seen an increasing number of hackers looking to deploy ransomware based on vulnerabilities, not a designated industry class. We also continue to see a plethora of social engineering exploits designed to re-direct funds. If your company isn’t equipped with the right tools and knowledge, the loss of funds and revenue due to the interruption of operations can be catastrophic.

We’ve outlined seven strategies to mitigate cyber risk and social engineering.

1) Cyber Insurance

Cyber insurance provides a financial backstop for risks associated with network security failures, privacy breaches and social engineering. As organizations become increasingly reliant on information technology, their insurance program should align with these ever-increasing perils. There is a robust marketplace for dedicated Cyber insurance and companies should actively look to transfer these risks.

2) Employee Training

Employees are the underlying cause in the majority of the claims we see. Undoubtedly, the best advice we can give our clients is to implement a robust training program. This should include mandatory employee training on social engineering and focused phishing training for employees in finance and accounting. By educating employees on what red flags to look for, an ounce of prevention is worth a pound of cure.

In addition to training programs at the start of employment, we also recommend promoting a culture of vigilance and enforcement. There should be policies and consequences for those who violate best practices in this area. To remedy this, many cyber insurance companies will provide a complimentary or discounted employee education service as part of their policy benefits.

3) Callback Provisions

Fraudsters are going as far as diving into employees’ psyches to try to trick them into completing tasks on behalf of their supervisors by a certain deadline.

For example, an employee in accounts payable will receive an email from what appears to be a vendor 15 minutes before the close of business on a Friday afternoon. The fraudster has had access to the company email system and is now asking the employee to change payment wiring instructions. That same employee is also getting ready to leave on vacation and eager to get this done and makes the change without authentication.

In cases like this, employees should feel empowered to take a step back to verify instances that seem out of the ordinary. There should also be a mandatory protocol in place to obtain direct verbal confirmation from a known contact for all payment or funds transfer revisions from vendors, clients, or customers.

4) Technical Controls

Based on our collective experience managing numerous Cyber events, the following are now deemed “must have” controls:

• Multi-factor authentication to secure all remote access to your network

• Multi-factor authentication to protect access to privileged user accounts

• Regular data backups and tests of your data restoration processes

• Endpoint detection and response technology installed on servers and computers to detect any suspicious activity

5) Incident Response Plan

Businesses should have a plan in the instance that they are the target of a cyberattack. The greatest variable in an attack’s size and impact is how quickly and efficiently an organization can respond. A good incident response plan (IRP) should outline internal and external stakeholders and their responsibilities.

One immediate benefit of cyber insurance is that the policy will provide access to essential first responders, including legal counsel, technical forensic investigator and crisis management. The IRP should include information on how to access these resources including key contact information.

Unfortunately, it is not uncommon for an insured to not have this information at their immediate disposal and will attempt to manage the matter on their own. Most companies are not equipped to manage this situation and can end with unfortunate results. Organizations should monitor and update their IRPs regularly and include all policy resources.

6) Understand Repercussions

Because of the increasing occurrence of these attacks, companies would do well to work under the assumption that you will have an attack. Have the ability to quantify the impact of hourly operational disruption so you can align those estimates with appropriate insurance proceeds and balance sheet protection.

According to Coveware, the average length of operational disruption resulting from a ransomware attack in Q4 of 2021 was 20 days. Most Cyber insurance policies provide coverage for business interruption that are subject to a waiting period (ex. 8 hours). Only the amount of lost income above that threshold is covered. Having the ability and data to document the cost of your hourly operational impact will also expedite the business interruption claims process.

7) Carrier Loss Control

Many cyber insurance carriers will provide access to a wide variety of complimentary pro-active loss controls tools. These are mutually beneficial solutions and should be incorporated into overall cyber risk strategy. For example, non -invasive network vulnerability scans throughout the policy year. The results provide an additional real time insight into your risk profile. A common issue is the failure to patch vulnerable software. This is the same approach a hacker may take and can allow the insured to implement changes before a loss may occur.

Cyber is an enterprise risk and needs to be treated accordingly. There are no silver bullets for this complex and evolving risk category. Cultural awareness, pro-active mitigation and a thorough risk transfer solution are the most effective risk treatments. &

More from Risk & Insurance