As the situation in Ukraine worsens, many cyber experts are predicting that Russia may retailiate against Western Government sanctions with denial of service, or virus based attacks. Where there are older, legacy systems in the public sector, or large companies, there could be a risk. On the other side of the coin, new tech like crypto and NFTs are also an opportunity for hackers, fake ID fraud and more. IE got some expert comment this week;
THE LEGACY ISSUE
Dan Alexander, Head of Threat Intelligence, BAE Systems Digital Intelligence commented:
Complex and unwieldy legacy systems can present security issues and threats for major public sector organisations – as indeed they still do for some large companies across a number of business sectors including insurance. With criminals changing their tactics constantly, and new threats arising as old ones are closed down, it’s difficult enough to fight off cyber attacks on streamlined up-to-date systems, let alone if you’re dealing with old inflexible networks.
The obvious answer is updating, which of course everyone wants to do. But for the public sector, the impact of the pandemic, cost restrictions, reduced workforce and human priorities has made it especially hard to focus on IT in the last couple of years. For the public sector the foremost challenge is the issue of sensitive personal data security, and we have seen their exposure to that in recent high profile hacking cases that have affected UK charities and health and education bodies.
In 2020 for example the Blackbaud data breach saw many UK patient records, plus student information, being held to ransom. Many of the records involved people seeking help for mental health and anxiety, so the data was particularly sensitive.
The rise of telemedicine – online consultations and treatment – which was hugely accelerated by the pandemic, also presents clear opportunities for criminals to strike. Robust and constantly updated security systems and response plans, and awareness training for employees, are obvious and important tools in the fight against cyber attacks and hacking.
But just as important is cross-border and cross-organisational collaboration and information-sharing – which BAE Systems supports via our global Intelligence Network of more than 2000 cyber and financial crime experts – and the public sector has a key role to play.
CRYPTO & NFTs
Aaron Cain, Cyber Security Consultant at Altus, had this to say on the rapid rise of NFT investments and crypto/coin insurance.
Business and individuals have traditionally acquired tangible property and expected Insurers to protect them. Digital assets like NFTs and NFT Coins are intangible meaning they are easier to acquire, harder to value and more difficult to establish ‘Authenticity / ownership’. Still, insurers are expected to cover the increasingly high valuations of these new assets which have attracted the attention of Bad Actors.
Criminals set up Fake Markets, create Fake NFTs and conduct email, voice and social media attacks. Standard malware is being adapted to steal NFT Private Keys or take over online Accounts which will lead to a proliferation of ransom demands linked to high value intangible assets.
The result, Insurers will need to go to increasing lengths to strengthen policies by:
- Establishing NFT provenance and ensuring authenticity
- Educating their customers on how to be safe online
- Clearly communicate caveats that will come into effect if customers do not follow policy guidelines
For the protection of both insured and insurers, sponsored development may be required of facilities to validate NFTs and allow secure storage, access and trading of these new digital assets for high-net-worth individuals and businesses.
IE caught up with Jose Seara, Founder and Chief Executive Officer, of cyber risk specialist DeNexus, and asked some questions on current cyber/NFT threats;
So far the war in Ukraine hasn’t led to a huge cyber attack, as predicted some weeks ago. Does that show infrastructure systems are getting better at spotting and defending against organised attacks?
“At the moment we don’t have all the information we need to make that assumption – I am afraid that there is far more going on that what is known right now or being reported,” said Jose Seara, CEO of DeNexus a provider of cyber risk modeling for industrial organisations, global (re)insurers and insurance linked securities (ILS) investors.
“Another element to note right now is the fact that we don’t have a valid base line – the defence systems in the last weeks are likely not what can be considered a standard. We have a long way to go in terms of defending against organized attacks and while improvements have been made in infrastructure systems, we still have a long way to go.”
Does the rise in NFTs and coins open up businesses to a new wave of cyber attacks and ransom demands, how can insurers educate their clients on this payment method?
“It is likely that the rise in NFTs and coins will lead to a new wave in cyber-attacks and ransom demands. This is a new “untraceable” currency and can be used for things that love hiding in the shadows.
“What we need with clients is education about the risks associated with these payment methods. And we need to say these payments forms are not acceptable.”
Hybrid working means using mobile hotspots, public Wifi etc – what’s the latest advice on protocols and best practice that brokers and insurers can offer to clients?
“We need to look at more than just protocols and best practise and focus on education and training. To be honest, the standards and protocols are already there – so they don’t need the advice, just implementation, training and enforcement”
Is the public sector still too dependent on legacy systems and does that leave them open to major terror/cyber attacks by rogue actors or States?
“Yes, yes and yes! And while I agree with these statements there is another factor – teams that do not have enough budget to do their work properly.”