Over the past few years, insurance carriers have been taking major hits on liability claims due to security breaches because many liability policies have had at least some limited amount of cyber insurance coverage in the past.  Some carriers have even paid out claims under business interruption insurance.  I saw one claim for nearly $500,000 paid out under a business interruption policy for what amounted to a really bad virus infection.

Things are changing and you need to understand the impact on your business.  Here are a few tips:

  1. Many insurance carriers are now making stated exclusions for any cyber related information security breaches.

  2. Information security breaches are now having very strict limits placed on the coverage levels unless you have added a specific rider to include the added coverage.

  3. Cyber liability policies vary greatly between carriers.  It’s not like the more common coverages like property and casualty, life or auto. You need to shop around and have a good broker help explain the differences.

  4. Cyber liability coverage comes in many forms; Errors & Omissions (E&O), network security, information security, breach notification, intellection property loss, etc.  Make sure you get the coverage you need for the type of data as well as the type of loss.

Many brokers just don’t understand this new and complex cyber insurance market.  I understand you may trust and love your current broker.  Have them explain the coverages to you and then find someone who specializes in the cyber market and have them review it with you again.  You don’t want to have an information security breach just to find out what you thought was covered under your liability insurance isn’t covered at all.

Wednesday, January 28th is the 8th Annual Data Privacy Day led by the National Cyber Security Alliance (NCSA).  On this day, consumers and businesses are reminded and encouraged to check the security of their personal information and learn how to keep it better protected.  Learn more about Data Privacy Day and find out ways to protect your data: http://staysafeonline.org/dpd.

Also, don’t forget to join Data Privacy Day (@DataPrivacyDay) tomorrow on Twitter for a conversation about different topics pertaining to privacy and data stewardship. Just use the hashtag #ChatDPD.

 

SSL has been obsolete for some time now.  It had a useful life and now it needs to go away.  During many of our penetration tests or ethical hacks, we find SSL is alive and well.  There is no information security if you are using SSL today.  It’s broken beyond repair.  Don’t use it or you are inviting someone to hack you. 

The POODLE hack is a serious threat to information security.  For some reason though, many webservers still allow browsers to negotiate all the way back to SSL v3.0.  To give you some perspective, TLS 1.0 superseded SSL in 1999, TLS 1.1 was released in 2006 and 1.2 in 2008.  I get the whole backward compatibility thing but seriously, browsers have supported TLS since early last decade.  That’s nearly 15 years folks.  It’s time to implement a process to progressively not support browsers that don’t support security.  We have no problem forcing out older browsers which don’t support the cool new functionality that makes our updated websites look so rich and full featured.  Why not do the same thing for security to prevent hacking?

Read more: SSL is Dead, Long Live SSL!

I’d like to call on college professors to listen to me for a few minutes.  I’ve been a strong proponent of higher education even though I originally dropped out of college.  I eventually went back to finish my degree but it was only after I had been in the workforce for about 8 years.  (Kids, if you read this, stay in school.  I chose a hard road that worked for me but it won’t for most others.)  I am finding however, a fairly large gap in what colleges are teaching and what the real world needs.  This has been a trend for several years and we need to reverse it if a college education for information technology careers is going to maintain its relevance.

If you are responsible for teaching anything in computer science, CIS, MIS or a similar program, please consider the following:

Read more: Calling all Computer Science Professors and Deans

So the LizardSquad has taken responsibility for the DDOS attacks on the Microsoft Xbox Live and Sony PlayStation networks over the past couple of weeks.  The attacks were nothing special though.  DDOS is simply an attack where you throw more junk at something than it was designed to handle.  Pour a gallon of water in an 8oz glass and it’s going to overflow.  I could always drink from a 128oz glass to ensure I never have lose a drop of water but what’s the point?

While DDOS attacks are real and their effects have serious consequences, there is nothing clever about them in most cases.  They are simply a collection of compromised machines all turning their resources to overwhelm a victim that wasn’t prepared.

Read more: LizardSquad Takes Credit for Xbox Live and PlayStation Network Outages

Thousands of payment card terminals became nothing more than small boat anchors last week.  The card terminals became a “brick” after a cryptographic key expired.  Funny thing, the key was created in 2004.  This means it hadn’t been updated in 10 years.  How exactly is this PCI compliant?  I’m pretty sure management of cryptographic keys is required by PCI.  Security of card terminals is quite often the responsibility of the terminal vendor but organizations have a duty to perform vendor management to ensure your systems are safe.  Ask your card terminal vendor when the last time cryptographic keys were changed or updated this week.

The team at Integrity wishes you and your family a very Merry Christmas season.  We pray that you are able to stop and reflect on this as a season of hope and will share it with those close to you.

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724