It has been less than a year since the last Cybercrime article but in that short time things have continued to change at a staggering rate.

As touched upon in the October 2015 article, cybercrime attacks are very much different from what the world has experienced in the past. Attacks no longer have to come from large well organized forces, one individual with bad intentions can cause a significant amount of damage. Couple this with the fact that there is little or no repercussion an attacker feels he/she can do whatever they want.

There are thousands of cyber criminals worldwide who are not just looking to break into large corporations but in fact, are looking to target small or medium sized companies as traditionally they are much easier to hack and can often offer access to a larger target.

Not so long ago if a criminal wanted to break into a company and steal money or trade secrets they would have to physically go to that place and try to “pull it off” without getting caught. Now a cyber criminal can sit at home in his/her living room in his/her pajamas half way across the world and push a few buttons to get what they want. No longer do terrorists have to use violence and fear to cause fear and disruption, they can sit at a computer and tamper with a city’s water or power supply from home. There are thousands of cyber criminals worldwide who are not just looking to break into large corporations but in fact, are looking to target small or medium sized companies as traditionally they are much easier to hack and can often offer access to a larger target. As has often been said by people involved in the cyber security field … Hackers only need to be successful once, but companies need to be successful repelling or defending against these attacks all the time.

From a security perspective it is now a well known truth that it is impossible to keep up with potential threats. Regardless of what new encryption or security we have put in place someone is always thinking ahead of us to try and subvert it. In a 2016 60 minutes episode Mr. John Brennan, the current director of the CIA, reported that his email had been breached which in his words, “proved that nobody is safe”. This type of thinking was also prominent amongst IT specialists who spoke at a Canadian Cyber Security Seminar recently attended by the writer.

It is extremely difficult to know the exact number of intrusions or breeches that are taking place as, in Canada, there is currently no requirement for companies to report them. However, it is anticipated that by the fall of 2016 the breach notification sections of Bill 5-4 (The Dig ital Privacy Act) will become law and that is expected to dramatically change the cybercrime landscape. This will be addressed in greater detail later in this article.

It is expected that the current intrusion rate is greater than anyone suspects. On March 31, 2016 the Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Center (CCIRC) issued a joint statement to address the staggering number of Ransomware attacks. On February 5, 2016 the same bodies issued a statement about avoiding social engineering and phishing attacks, and the list goes on.

In the past, we would look to insurance as a means of protection against risks beyond our control but for this particular type of loss insurers are still trying to catch up to this fast changing environment. There are now a number of insurers writing cyber coverage policies in Canada but underwriters continue to be faced with some difficult questions such as how to determine and fix an annual premium for a risk that has no historical data and becomes more sophisticated and dangerous with each passing day. A 2015 IBM study on the average cost of a data breach found it to be $3.8 million in the US or an average of $145 – $154 per stolen record. What kind of limits can underwriters offer with those types of exposures? The consequence of these concerns is that cyber policies we keep evolving as cyber crimes change and in al l likelihood the cyber policies that we write today will, in 5 years, feel like they were written in the Stone Age.

Insurers are not the only ones trying to keep up, unless you are technically inclined (a techie) this can all be somewhat difficult to grasp, and with more and more devices being built with some sort of chip we can expect more and more incidents, new developments, terminology and of course cyber crimes.

Cyber terminology is now a part of our daily lives but how many of us know what some of this terminology really means? A portion of this article has been dedicated to some of the everyday terminology that can sometimes be difficult to comprehend so let’s look at a few of these terms, such as …

“The cloud”

When this term was first introduced it mystified people, where is this cloud located? It’s obviously out there somewhere, but where? Is the data floating around in space waiting to be retrieved?

When someone refers to “the cloud” they are actually talking about Cloud Storage which is essentially when digital data is stored on a server that is typically owned by a hosting company. By storing your data this way it is easily accessible from anywhere at anytime. Being stored in the cloud simply means the data is not being stored on your device. These cloud storage facilities can be located anywhere around the world. The term “icloud” simply refers to data storage system from Apple Inc. for your Apple devices.

Somethings you should look for when choosing a cloud based service are

  1. Where are the servers located
  2. What security or redundancies do they offer
  3. In what country or jurisdiction do they operate as th is may affect what information they are required or able to release
  4. Up time numbers (how often has the data been unavailable)
  5. References, are you dealing with a reputable company
  6. Storage capacity and cost

Ransomware

This is presently the most popular type of cyber crime attack being performed by cyber criminals against businesses and individuals.  Just imagine that you wake up one day, rub the sleep out of your eyes, and boot up your laptop expecting to see a Twitter feed or Facebook profile, in stead you’re greeted with a big red image, demanding that if you don’t pay $200 to an unknown party in the next 24-hours, everything you know and love on your computer will be erased, and gone forever. That is ransomware.

In some instances, your computer will work, but each time you try to click on a Web page ads for pornographic websites appear on your screen. The ads cover the portion of the page you’re trying to view. As you can you imagine this would be incredibly disruptive to your life and could you imagine if this happened while you were sitting at work? Another version of the virus might put time pressure on the victim, stating that a piece of your data will be destroyed every 30 minutes if you don’t pay up.

The attacker attempts to force you to purchase a program or an encryption key to de-encrypt your data. The criminals often ask for a nominal payment, figuring you’ll be more likely to pay to avoid the hassle and heartache of dealing with the virus.

The attacker attempts to force you to purchase a program or an encryption key to de-encrypt your data. The criminals often ask for a nominal payment, figuring you’ll be more likely to pay to avoid the hassle and heartache of dealing with the virus. They may ask for as little as $10 to be wired through Western Union paid through a premium text message or sent through a form of online cash such as a bitcoin. Once the ransom is paid an encryption key and instructions are usually provided to the victim but there are plenty of stories of ransom being paid but the encryption key not being provided or where the encryption key is provided by the hacker but in such a way that he victim st ill has to go through the process of decrypting their data every morning.

The following list represents some basic preventative measures you can implement to reduce the odds of your device being attacked, but as we have come to realize it is almost impossible to prevent it. Experts advise taking these steps not only to reduce the odds of an attack but to protect you after an attack:

  1. Always use reputable antivirus software and a firewall. It is important to use antivirus software from a reputable company because there is a lot of fake software out there.
  2. Back up your computer as often as is practical. If you back up files to either an external hard drive or to an online backup service, the threat is not as disabling. “If you have backed up your information with a reliable device you can simply wipe your computer clean and start over with a new install if you come under attack.
  3. Enable your popup blocker as these are a prime tactics used to infect a computer. If a popup appears, click on the X in the top right-hand corner. The buttons within a popup might have been reprogrammed to do different things than what they say, so do not click on them.
  4. Be cautious by not clicking on links inside emails, and avoiding suspicious websites. If your computer does come under attack, use another computer to research details about the type of attack.
  5. If you do come under attack disconnect from the Internet so your personal data isn’t transmitted back to the perpetrators. If you have backed up your data, you can re-install software.

Firewall

A firewall works like a filter between your computer/network and the Internet. You can program what you want it to keep out and what you want to allow in. Another way of looking at it is that a firewall is a layer of protection that should be used in conjunction with other security measures to prevent an intrusion by an unwanted source.

Internet of Things

Commonly called loT, the internet of things is a very interesting topic and warrants a discussion paper all by itself. Put simply, the loT refers to the connectivity of devices over the internet so they can talk to you, each other or applications. More devices are being made with Wi Fi capability and with sensors. The most talked about examples are those that are soon to be implemented such as a smart fridge that could text you when you were out of milk or juice or a smart home heating device that would recognize when you leave the home and automatically turn down the heat. What if, after it woke you up, your alarm clock could communicate with your coffee maker and tell it to brew your coffee . What if you car was connected to your calendar and would determine the most efficient way of getting to your next appointment, and send a text to that person letting them know exactly what time you will be there. If things continue to evolve it will be only a matter of time before all the machines can talk to each other in an effort to create more efficient humans. It sounds like something straight out of Star Trek, but it could very well be our reality sooner rather than later.

Bitcoin

A Bitcoin is a decentralized digital currency, commonly known as the currency of the cyber industry. It was first issued in 2009 and what makes it attractive to a large portion of the population is that it can be transferred between people without the involvement of a bank. Currently there are more people in the world with access to a computer than there are to a bank.

The value of a bitcoin is determined by what someone is willing to pay for it however as there are a finite number of coins the currency is not deflationary. There will only ever be 21 million bitcoins in circulation at any given time which helps the currency maintain its value. A bitcoin account can be set up easily and quickly as opposed to setting up a conventional bank account. There are no transaction fees and the account holder can remain anonymous.

More and more small businesses are accepting bitcoins as there are no service fees attached like there are with credit cards. However, the greater the usage of bitcoin, the more incentive there may be for the government to regulate this type of currency.

Malware

Quite simply put this is software that compromises the operation of a system by performing an unauthorized function or process. Malware can often form part of a phishing email and take the form of a virus, Trojan horse, spyware as well as other hostile or intrusive software.

Conclusion

In June 20 15 the Digital Privacy Act (Bil l 5-4), an Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA), received Royal Assent and became law. However, the sections dea ling with breach notification regulations are still being fine tuned and will not come into effect until a later date which has not yet been announced but is expected to be in the fall of this year. The breach notification sections of the Act will create an explicit obligation to notify individuals in cases of breeches, and report incidents to the Privacy Commissioner of Canada (OPC) if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. While this wording may be open to interpretation there will soon be a legal requirement to report a breach which will ultimately increase the awareness of the general public and push the corporate world to demand more options for insurance coverage.

As the cyber industry continues to flourish and intertwine itself with our day to day lives there will undoubtedly be more and more cyber crimes, cyber terminology and inevitably cyber insurance. These are most certainly interesting times.

Clive Wayne, CIP, CRM is the principle at CW Claims & Risk Inc., specializing in a diverse range of claims with a strong knowledge of cyber related investigation.