A quick reminder on cyber security

On the one hand as LMI builds our brand in the UK,  I am being inundated by emails regarding the UK Legislation aimed at giving consumers more control over their personal data (General Data Protection Regulation (GDPR)) and at the same time I am getting hit daily with emails pro-porting to be from legitimate companies such as Microsoft asking for me to change or confirm my password.

This is despite LMI investing significantly on our already big spend on cyber security.

At the end of the day it really comes down to all of us remaining vigilant and taking 10 seconds thought to double check that the email is legitimate and if in doubt don’t click on the link or open the attachment.

Every business needs to consider the benefits of cyber security insurance. It is a complex area with policies ranging from basic through to great protection.  As always I recommend advice be sought from an experienced broker.

Here is the email that I got this morning that prompted me to post this article.

Read Me View comments

Which small businesses have mandatory data breach reporting obligations? + 1st Quarter statistics

Another topic I have written a lot on is the Federal Government’s mandatory reporting regime.

I have been asked many times to explain the obligations on small business and so I outline them below. After that I provide some stats at a high level on the first quarter reporting.

From 22 February 2018, the Notifiable Data Breaches scheme (“NDB scheme”) requires a wide range of organisations to report data breaches that are ‘likely to result in serious harm’ to the individuals whose personal information is affected by the breach. They will also be required to notify the Office of the Australian Information Commissioner (“OAIC”).

The NDB scheme applies to organisations that already have obligations to secure personal information under the Privacy Act 1988 (Privacy Act). Generally, this does not include small businesses that have a turnover of $3 million a year or less.

However, there are a few exceptions. Organisations that fall under the following categories will have mandatory data breach reporting requirements, regardless of their size:

  • Health service providers (including, for example, private hospitals, day surgeries, medical practitioners, pharmacists, allied health professionals, gyms and weight loss clinics, childcare centres, and private schools);
  • Organisations that trade in personal information;
  • Credit reporting bodies;
  • Employee associations registered under the Fair Work (Registered Organisations) Act 2009;
  • Organisations that opt-in to being covered by the Australian Privacy Principles under section 6EA of the Privacy Act.

The NDB scheme will also apply to small businesses in these categories that are based overseas if they have an ‘Australian link’.

[ Note An Australian Link generally extends to the overseas activities of an Australian Government agency (s 5B(1)). It also applies to organisations (including small businesses covered by the Act, outlined above) that have an ‘Australian link’ (s 5B(2)). An organisation has an Australian link either because it is, in summary, incorporated or formed in Australia (see s 5B(1A) for more detail), or where:

  • it carries on business in Australia or an external Territory, and
  • it collected or held personal information in Australia or an external Australian Territory, either before or at the time of the act or practice (s 5B(3)).

Further information about entities that are taken to have an Australian link is available in Chapter B of the APP Guidelines.]

Tax File Number (“TFN”) recipients (which is any person in possession or control of a record with TFN information) will also need to comply with the NDB scheme in relation to their handling of TFN information. This means that if TFN information is involved in a data breach, a TFN recipient will be obligated to meet the requirements of the NDB scheme.

Organisations that are not covered by the NDB scheme are encouraged to use the information on notifying individuals under the scheme to create or review their data breach response plans.

Being transparent when a data breach occurs is central to meeting community and consumer expectations. 94% of Australians believe they should be told when a business loses their personal information. Informing individuals about a data breach is one step that organisations can take to demonstrate that they take their responsibility to protect personal information seriously.

And as a practical measure, notifying individuals at risk of harm can provide them with the opportunity to reduce their chances of experiencing harm. For example, individuals can resecure compromised online accounts. This can reduce the potential impact of a data breach overall.

As always, I recommend every business and or organisation to review or develop a business continuity management plan and obtain, and or review their, Cyber Insurance and to discuss the many and varied options available with their insurance broker.

Now to the Ist Quarter reporting stats:

Key statistics from the first quarterly report include:

  • Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
  • 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
  • 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
  • 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.

The key point for me here is that just over half were through human error. No matter what systems we have in place, it is people risk that is our greatest risk in so many areas of our organisations and cyber security is no different!

 

Read Me View comments

Are fines imposed on SME’s for data breaches fair?

As from 23rd February 2018 legislation now requires that Australian businesses report data breaches.

I have heard that there have already been an average of 10 notifications a week but this figure was on social media and I have not been able to verify the number.

I appreciate that we all have a duty to protect the personal data of our customers and employees but I question whether fines  imposed on any company that is breached is fair and reasonable.

Today the news is all abuzz about how Facebook was hacked. There have been reports of countless hacks of major international businesses and even sensitive government departments.

The issue is what is reasonable has been mulling around in my head for a while. It started last year, when LMI’s head of cyber security presented a board paper seeking an upgrade of our company’s security and seeking additional funding to cover the introduction of new software solutions. As we take cyber security very seriously all the recommendations were adopted and the capital expenditure approved.

A few weeks later I was meeting with a new client and in passing they advised that they had upgraded their security system and had spent exactly 50 times more than we had. Admittedly the client was an insurer with a much greater turnover, much larger customer data base and one would therefore think greater exposure. Having said this, the amount they had spent was greater than the gross profit of our organisation. As such it simply was not feasible for us to mirror their efforts.

Having said that, the same hacker could be targeting LMI as them and despite what to us was a significant expenditure I have to think we will be more vulnerable than the insurer.

I am also concerned about the number  of SME’s that are using the services of cloud based services such as Zero and MYOB’s new accounting systems. Employee data can be held here and the question is who would be fined if there was a breach of the cloud provider?

The other point that I would make is that after attending a number of conferences and hearing a number of computer security experts who carry out penetration testing, I am of the firm opinion everyone has been hacked but they have so much data already collected they have not used it as yet. The infographic at the end of the post shows the number of reported breaches during the first half of 2016, If you compare this to 2017 first half figures of 1,901,866,611 reported data breaches, you can see the massive increase (343%) in just one year.

The point to keep in mind is that in some countries, including Australia, during this period did not have to report breaches and so the figures are not complete.

With this background, I question is levying a fine on an organisation that has taken reasonable steps within their budgetary constraints fair and reasonable. Or is it just another form of hidden taxation on SME’s?

The reality is that reporting of breaches is now mandatory and the penalties for not notifying a breach are correctly more serious. Therefore businesses that do suffer a breach need to report it immediately.

If fines will ensure then every business needs to rethink their attitude to cyber insurance and if they do not have the cover consider obtaining the protection and of course making sure that it provides cover for any fines or penalties.

While PolicyComparison.com does provide a detailed summary of the features and benefits of the majority of cyber policies available in Australia, it is my recommendation to any organisation looking for cyber insurance to obtain the advice of an insurance broker to obtain the right insurance protection for them.

This is a class of insurance that is changing rapidly and as with the cyber security itself it is not a set and forget issue. Both cyber security and the protection afforded by cyber insurance protection needs to be reviewed constantly, the later at least each renewal.

 

Read Me View comments

The major risks facing business in 2018

Business Interruption, cyber attacks, and natural catastrophes are, not surprisingly to us in the industry, the leading business risks this year, according to more than 1,900 risk experts from 80 countries polled for the latest Allianz Risk Barometer.

The survey by Allianz Global Corporate and Specialty reveals that cyber attacks and business interruption remain the leading two risks in Australia. What remains disappointing is that both cyber and business interruption coverage is often not taken out by many small to medium enterprises, commonly at their peril.

I continue to urge all business owners and managers to discuss these and other risks with their insurance broker.

Changes to legislation/regulation and natural catastrophes are also high on the list.

To read the excellent full report please visit: http://www.agcs.allianz.com/insights/white-papers-and-case-studies/allianz-risk-barometer-2018/ 

I conclude with their very insightful infographic.

Read Me View comments

Be aware, Unicode URL phishing scams are on rise!

LMI Group’s head of cyber security has issued the following warning to all of our team on the proliferation of phishing scams out there.

This is such an important topic I thought I would share it with you.

I found this to be one of the hardest scams to spot and one anyone could easily be caught out.

 

This is a quick update to inform you about Unicode phishing scams,  below are screenshots of two different sites (one is legitimate and other is a fake).

Now, see if you can spot the difference.

Site A-

 

 

 

 

 

 

Site B-

 

 

 

 

All looks OK at a glance, right? Even has a green ‘site secure’ SSL notification. However, notice what looks like a little comma under the ‘r’? This is an entirely different character, which means that we are not at bittrex.com, we are at a phishing site. A pretty clever one too, as it turns out.

Always make sure to check the URL properly before you enter the credentials and always type the URL on the browser instead of using Google search for it.

 

Read Me View comments

Another Phishing attempt on me

Last year I reported on this blog just how close we came to being caught with a phishing (or whaling) attack on us when someone sent and email to our head of finance purportedly from me asking that a sum of money be transferred to a nominated account.

Following that we took several internal controls including removing the name of all of our finance team off social media, our website etc and we set up two inboxes for all our finance team. One from internal staff emails and the other from people outside team LMI.

This has worked a treat and we have picked up several further attempts while other staff outside of finance have also had emails claiming to be from me.

We got another one today this time from what looks like Montenegro.

To assist the Australian government fight this increasing prevalent crime I reported the incident to the Australian Cyber Security Centre https://acsc.gov.au/ who within a few minutes rang and requested that I also report it to ACORN which stands for the Australian Cybercrime Online Reporting Network https://report.acorn.gov.au/

It was much the same process and why you have to report it twice I am not sure particularly as they are both Federal Government departments and you would think that one form could go to both but it was not a really big deal and I do urge everyone to start reporting the incidents as quickly as possible in the hope we can slow or stop the attacks which are catching so many innocent people out.

While the new mandatory reporting has not come in yet and this event which did not cause any loss of personal data would not fall within this new reporting regime, it is still important that all such attempts are reported even if you feel it will not help your particular circumstance.

Read Me View comments

Artificial Intelligence in Insurance

I read with interest an article passed along to me, ‘Artificial intelligence to replace human staff at Japanese insurance company‘.

The article explains that a Japanese insurance company will be replacing more than 30 workers with artificial intelligence robots in a hope to increase productivity by 30%.

The robots will perform many day to day tasks however final payments will still be processed by human staff.

What is the impact of this on the Australian industries?

According to a projection by the World Economic Forum an estimated loss of 5.1 million jobs over five years in 15 of the world’s leading economies. Professional services are a big target for robots and machine learning to take over the day to day routine tasks.

While I would not call myself a Luddite, I am not sure I nor many insured’s are quite ready to allow artificial intelligence look after something as important as my insurance program or all but the simplest of claims.

Read Me View comments

Cyber incidents continue to dominate global risks

The 3rd largest Global Business Risk as reported by Allianz in their latest report is cyber incidents.  Only 4 years ago this risk was ranked 15th and has since dramatically increased, unsprisingly.

The sheer amount of phising emails and scams I receive each and every day is horrifying and this is why businesses and individuals are getting caught out every day by these sometimes obvious scams. However, as outlined in our own close call with a scam they are becoming more and more personal and tricky. This is why myself and Steven have written Mannings Guide to Cyber Security & Insurance as a free e-book for everyone to understand this risk, how to avoid it, as well as ensuring you have the right insurance in place should you get caught out.

WA Today reported that “At least $37.5 million was swindled by fraudsters using online scam methods in 2015 – and that’s just based on 41,000 reports that year to the Australian Competition and Consumer Commission.” This is something we at LMI Group have encountered and were lucky enough to not suffer financially, however it was quite the scare and a stressful experience for us. (You can read my article posted back in July 2016 here).

The ACCC have also released ‘The Little Black Book of Scams‘ to assist everyone in being able to spot these suspicious emails and to avoid them.

 

 

 

Read Me View comments

Scam watch

I could just about start a separate blog for scam alerts there are so many different forms of email and phone scams of late. Here is just one to be wary of.

Read Me 1

Fake Android apps are a genuine cyber threat to avoid

Melbourne, Australia - May 17, 2016: Browsing the Google Play Store on Android smartphone. It is an app store for the Android OS, allowing users to download app, music, movies and TV shows

Browsing the Google Play Store on Android smartphone. 

As I carry our research to up date Mannings Guide to Cyber Security, I found this warning regarding apps for Android mobile phones provided by CFC Underwriting in London. It read:

“Never, ever download apps outside of authorised app stores. Never. Attackers are using Gooligan malware as a launch pad for rogue Android apps aimed at stealing users’ data. According to security researchers, the best way to avoid being stung is by steering clear of dodgy app stores and sticking religiously to Google Play Store. There, at least, a number of controls are in place to detect fake or hostile apps.”

To read more please go to this link to Wired Magazine. https://www.wired.com/2016/12/never-ever-ever-download-android-apps-outside-google-play/

Read Me View comments