Recently, HBO suffered a massive data breach. The hackers stole unreleased episodes of Game of Thrones and have been leaking them before they are broadcast. Episodes of other shows were also stolen. The hackers grabbed 1.5 terabytes of data including sensitive internal documents.
Adam Levin, the Chairman and Founder of CyberScout, has written about the HBO breach with some very interesting insights. Adam is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on cybersecurity, privacy, identity theft, fraud, and personal finance. A former Director of the New Jersey Division of Consumer Affairs, Adam is Chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com.
Adam Levin is the author of the book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves. The book is a terrific guide for how people can protect themselves in a harrowing world of cyber threats and scams. It is detailed, practical, accessible, and engaging. Swiped has been a bestseller on Amazon.
Below, I interview Adam to elaborate on the HBO breach and related issues.
Q: You recently have been focusing on the HBO data breach and cybersecurity insurance. You have indicated that cyber insurance policies have some notable gaps in coverage? Can you discuss what these are?
Levin: Business policies historically have focused on tangible assets such as buildings, equipment and inventory. But the technology revolution has changed the game. In a remarkably short span of time, the value of business data and intellectual property has skyrocketed far beyond that of any physical plant, and therein lies the gap.
Today the insurance industry knows how to price policies to cover certain recovery costs in the event of a data breach, such as restoring systems, notifying victims and paying fines. But the H
BO hack highlighted the hidden costs of a data breach, such as the loss of proprietary data and a damaged reputation. Underwriters don’t yet know how to account for these hidden costs, which can severely undercut the value of a large organization and be an extinction-level (or near extinction-level) event for a small or mid-sized company.
Q: The cyber insurance industry is still in its infancy. In what ways should it evolve?
Levin: Underwriters and insurers need to figure how to offer all businesses—especially small- and medium-size companies—more granular kinds of cyber policies that actually account for risk and provide value to the paying customers. They’ve been agonizingly slow to move in this direction, even though the path forward seems obvious. There still is no industry consensus about the use of standard terminology, for instance, even though this could easily be done by leveraging the terrific work of the National Institute of Standards and Technology.
Adoption of a lingua franca would set the table for advances in a couple of key areas. One is partnering with cybersecurity vendors to eliminate the weak excuse that there isn’t enough data available to triangulate complex cyber risks. The truth is mountains of network health data gets generated on a daily basis and there is plenty of innovative technology to mine it. The insurance industry should also seize a leadership role in incentivizing companies to adopt security best practices and policies. This would lead directly to the formation of a larger pool of acceptable-risk clients happy to pay reasonable premiums year after year to offset the final bit of cyber risk. A classic win-win.
Q: What are the most important underappreciated security or privacy risks that organizations face? If you were briefing a corporate board well-educated on privacy and security, what issues do you think you’d highlight that they might not be fully aware of or fully appreciate?
Levin: Organizations have come to rely heavily on perimeter defenses such as firewalls, intrusion detection systems, honeypots and virtual private networks, which definitely have their place. However, the vast majority of successful breaches continue to revolve around the human factor: tricking an employee to click on an email attachment or a web link that ultimately gives an attacker deep network access, or hijacking an employee’s logon and using it to roam the network. Continuous employee awareness training and enforcement of robust data security policies are crucial. So are incident response planning, vulnerability patching and penetration testing. But these things aren’t sexy, so they continue to get short shrift in all too many companies.
Q: Ransomware has received a lot of attention lately. It seems like the most frightening horror villain out there. Are the fears warranted? Are there other risks out there that are as serious?
Levin: Ransomware remains a scourge. Unfortunately we have yet to experience its worst forms. The WannaCry attack last May pioneered the use of cyber weapons stolen from the NSA to rapidly spread ransomware attacks to hundreds of organizations within a matter of hours. The similar Petya campaign followed in June. More sophisticated variants are sure to come.
Many healthcare and financial services organizations—prime targets over the past few years—have significantly tightened up their cyber defenses and made themselves harder targets. But as WannaCry and Petya showed, cyber extortionists will continually seek out the weak and vulnerable with innovative attacks. Companies that aren’t doing security- and disaster-recovery best practices (for example—updating and upgrading software and operating systems or using “air-gapped” back-up systems) will have no choice but to pay a ransom to restore their systems.
Another rising threat is botnet-driven account takeovers. A botnet is a collection of thousands of infected computers and virtual machines in the Internet cloud under the control of one attacker. Crime rings are loading up botnets with millions of stolen names and passwords and instructing them to carry out a “brute force” hacking routines, testing these ill-gotten logons at multiple websites until access is gained. The account then gets drained, used in a money laundering operation or leveraged to access a corporate network.
Q: What are the best things organizations can do to limit their risk?
Levin: One of the most effective measures is to implement a comprehensive vulnerability management program. By continually evaluating itself for issues that may lead to breaches, a business can get a little bit more secure every day. This should include periodic vulnerability scans and network penetration testing and user account reviews, and a data assessment and segmentation program. Too many companies have “flat” networks in which most systems can be accessed by more users than necessary. By creating privacy zones, and methodically parsing access, an organization can dramatically cut the risk of a consequential breach.
Q: What are the greatest risks that consumers face? What are some of the best things consumers can do to protect themselves?
Levin: It depends upon the individual consumer and how she or he views different types of risk. For some, fraudulent use of a payment card account might be devastating, especially if it involved significant ATM withdrawals. For others, that may be a trivial inconvenience, knowing banks don’t hesitate to make victims whole and swiftly issue new account numbers. For most people, identity theft in support of a large fraudulent transaction, would be traumatic. This could be a faked tax return where a refund is diverted or a drained brokerage or bank account due to a manipulated wire transfer. For others, compromised medical files or medical insurance due to the theft of PHI could be life threatening. For still others, being arrested for a crime they didn’t commit—because a thief stole their identity and made sure the trail of evidentiary breadcrumbs led back to the victim—could be devastating.
In my book Swiped, I discuss the 3ms.
- Minimize your risk of exposure (by reducing your attackable surface): Never authenticate yourself to anyone unless you are in control of the interaction, don’t click on suspicious links or open attachments unless you confirm the identity of the sender, don’t over-share on social media, always disable location services to prevent geo-tagging, be a good steward of your passwords (for example, use long and strong passwords, or use a password manager), change manufacturer default passwords on IoT devices, enable two-factor authentication wherever available, use fake facts when setting up security questions, secure mobile devices and update whenever patches or upgrades are available, safeguard sensitive documents, shred and consider a credit freeze.
- Monitor your accounts and your identity: Check your credit report religiously, keep track of your credit score, review major accounts daily (or sign up for free transaction alerts from financial services institutions), review Explanation of Benefits Statements, and consider purchasing sophisticated credit and identity monitoring programs.
- Manage the damage: When alerted to an identity compromise, deal with it right away. Check with your insurance agent, financial services rep or the HR Department where you work to see if your insurer, bank or employer offers a program that provides access to trained fraud resolution experts to assist victims through identity incidents. You may be pleasantly surprised to learn that one of them does—for free or at a significantly reduced price–as a perk of your relationship.
Adam’s book is Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves. I highly recommend it.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.