Tag Archive for: Decisions

Indiana companies face million-dollar decisions as ransomware attacks spike | News

/in


FRANKLIN – In October 2021, Johnson Memorial Health went dark.

A cyberattack had infiltrated the health system’s networks and claimed to possess large amounts of patients’ personal information. The ransomware group was demanding a $3 million Bitcoin payment.

Rather than oblige, hospital administrators decided to go offline to determine the extent of the breach and prevent losing any more data, explained Dave Dunkle, president and CEO of the network.

Soon, hosptial staff were operating in the digital dark age, using paper forms to document all their procedures. Couriers scurried between departments hand-delivering blood-draw orders. With monitoring equipment down, more nurses were called in to the critical-care unit to physically observe each patient.

“It was rough,” Dunkle said. “It was very rough.”

The ransomware group never got paid, but the attack still cost the healthcare system millions of dollars to deal with the fallout. More than two years later, the hospital still hasn’t recovered financially.

“You don’t get that lost business back,” he said. “With margins being so slim for community hospitals like ours, we’re still suffering from the lost income during the attack.”

‘PAIN POINT’

Johnson Memorial Health is just one of thousands of Indiana businesses and organizations struggling to rebound after being targeted by a malware or ransomware scheme.

In recent years, the amount of money lost due to internet crimes has skyrocketed across the state. In 2019, Hoosier victims reported losing over $24 million. Last year, that number more than tripled to $73.5 million, according to data from the most recent FBI Internet Crime Report.

That’s despite the fact the number of reported cybercrime victims in Indiana actually declined by around 1,000 since 2020, when nearly 12,800 fell prey to an attack.

During the first six months of this year, insurance claims for ransomware attacks increased nationally by 27% compared to the second half of 2022, according to Coalition, a company that sells cyber…

Source…

Part Five: Reviewing Key U.S. Insurance Decisions, Trends, & Developments | Hinshaw & Culbertson – Insights for Insurers

/in


Cyber Security And Privacy Insurance Claims

This is the fifth installment of our series of articles reviewing some of the key trends and developments currently impacting the U.S. insurance industry.

To date, the vast majority of cyber coverage decisions have involved traditional first-party, third-party, and crime/fraud policies. Claims under these policies are commonly referred to as silent cyber claims. Most insurers in the cyber-insurance market have now issued several iterations of cyber-specific policies. Rulings under these policies are expected to be rendered with increasing frequency over the next couple of years.

  • Indeed, cyber-insurers experienced a steep increase in claims over the past couple of years, driven primarily by ransomware, often coupled with data extraction and business email compromise events. The costs associated with ransomware claims, in particular, have risen dramatically due to increased ransom demands, threats to disclose extracted data, and related business interruption costs. The pandemic-driven massive shift to remote work spurred additional cyber claims activity. As a result, industry leaders are anticipating a hardening of the cyber-insurance market, as well as increased premiums and underwriting scrutiny.
  • Zurich and Advisen’s 11th Annual Information Security and Cyber Risk Management Survey was released in October 2021.[1] Among the interesting finding, 83% of respondents now buy cyber insurance, with 66% carrying stand-a-lone cyber policies.[2] The survey concluded that triple-digit premium increases, vanishing capacity, shrinking coverage, and shifted expectations around baseline controls have joined long-term frustrations over inconsistent policy language to create a truly challenging renewal process for insurance buyers. Uncertainties around risk assessment and incident response are major concerns.[3]
  • According to the survey, ransomware has risen to the top of priority lists worldwide. For the first time, cyber extortion/ransomware has pulled even with data breach, with 95 percent of respondents selecting it as a cover­age they expect to be included in their policies.[4] It was followed by data restoration at 90 percent, business…

Source…

Avoid complexity in data storage decisions

/in


A little while ago, I faced the challenge of migrating a digital asset management system to the cloud. As part of this, I had to migrate out terabytes of data on legacy hardware to a new provider. Add to this the fact that the storage hardware was based in a staffed office in a rural part of England with significantly limited internet speeds.

Ultimately, I managed to broker an agreement with a nearby datacentre to allow me to copy data physically to an external hard drive, plug it into a rented server in a third-party datacentre and then upload it to the cloud from the datacentre’s high-speed gigabit internet connection. Despite all the moving parts and security checks associated with accessing the datacentre, the plan worked surprisingly well.

Times have moved on and things have got easier. Nowadays, Amazon Web Services even offers a Snowball service in which it will physically send you hardware that you can load your data onto and send back to AWS for upload to the cloud. 

Cloud providers nowadays will offer many different solutions to seemingly the same problem. One example of this is hybrid cloud storage, which allows companies to simultaneously keep their data both in their own premises and in the cloud. When navigating through the seemingly ever complex landscape of new cloud products, it is important to bear simplicity in mind. Unnecessary complexity added now will simply result in greater headaches later on.

The remorseless pursuit of simplicity is a hugely advantageous trait for an engineer, but in many ways it flies in the face of human nature. In a recent study published in Nature, most participants favoured addition over subtraction when trying to solve a problem. For engineers, achieving simplicity rests in satisfying the business requirements without adding unnecessary complexity that makes future changes harder.

In the example of hybrid cloud storage, there are instances where such technology can be beneficial, for example where low-latency access speeds are needed on-site. Nevertheless, it remains essential to consider whether it is the simplest solution to meeting the requirements at hand.

Far too often, for different reasons, we adopt technologies

Source…

Troy Hunt at Black Hat Asia: ‘We’re making it very difficult for people to make good security decisions’

/in


Have I Been Pwned founder’s keynote offered a sobering counterpoint to the well-meaning ‘World Password Day’

Troy Hunt at Black Hat Asia: 'We're making it very difficult for people to make good security decisions'

Imagine a parent’s terror when the geolocation of their child’s smart watch suddenly switches from tennis practice to the middle of the ocean.

This was precisely the scenario simulated by Ken Munro of UK infosec firm Pen Test Partners via exploitation of an insecure direct object reference (IDOR) vulnerability in an IoT device, and with help from Troy Hunt, creator of data breach record index Have I Been Pwned, and his daughter.

This was one of many eye-opening tales of shoddy security behind the “endless flow of data” into Have I Been Pwned recounted today (May 6) during Hunt’s keynote address at the all-virtual Black Hat Asia 2021.

Another API flaw in the TicTocTrack kids watch meant Munro’s colleague, Vangelis Stykas, successfully initiated a voice call through the device with zero interaction required from the wearer.

Logged into his own account, Munro also compromised other ‘family’ accounts by simply changing an identifier parameter. A subsequent security patch created an even more egregious regression bug.

Hunt also cited a purely physical intrusion that nevertheless “perfectly illustrates” his digital insecurity theme.

Having notified the vendor that he had dismantled their $47.99 biometric lock, a popular YouTube lock-picker was told the contraption was “invincible to people who do not have a screwdriver”.

Phishy email marketing

During his keynote, Hunt noted that even supposedly security-conscious organizations are “making it very difficult for people to make good security decisions”.

The infosec pro cited a ‘phishy’ email he received from Australia’s ANZ Bank featuring a suspicious, HTTP URL that redirected to another suspicious URL: ‘c00.adobe.com’.

The email turned out to be a genuine ANZ communication.

“Over and over again”, lamented Hunt, we see “legitimate organizations sending legitimate communications that are indistinguishable from phishing attacks”.

rrrAustralian infosec pro Troy Hunt delivered the Black Hat Asia 2021 keynote

Publicly accessible databases

Founded in 2013, Have…

Source…