CYBER BEST PRACTICES AT HOME
Tips to make your clients less-desirable targets for cybercriminals
By Christopher W. Cook
For risk managers, now more than ever is a good time to talk to your clients about cyber best practices in the home, especially with more individuals working remotely because of the pandemic.
Although I was born in 1980—that Gen X/Gen Y borderline—I can’t say that I’m a very “techy” person. I’m just now converting my old floppy discs to CDs; that’s right, CDs! And yes, my PC at home is old enough to still have an A-drive for floppy discs.
Every time I attend a conference session about cyber, there’s always a nugget of information where I think, “Wow, I didn’t think of that.” The October 2020 Private Risk Management Association (PRMA) Virtual Summit provided a session titled “Personal Cyber Risk Revealed: How to Protect Clients in a Digital World.” If you were unable to attend the event, there may have been something from this session that you might not have thought of, and that’s why I’m sharing this.
According to a Ponemon Institute study, “Eighty-six percent of adults are very concerned about how Facebook and Google are using their personal information, almost 70% are very concerned about their privacy when using devices online, and 66% of people are very concerned when shopping online and using online services,” said Bill Gatewood, senior vice president and national practice leader for personal insurance at Burns & Wilcox and also a PRMA board member.
Given the level of concern regarding online services, one would think that clients are asking their agents questions about cybersecurity and requesting information about policies. However, this doesn’t seem to be the case. How can agents start the initial conversation with their clients?
“I rarely go in talking about cyber risk or cyber fraud; that’s usually a bit too confrontational for people,” said Darren McGraw, president of Mechelsen Private Client in Seattle. “What I have found to be most successful in engaging with clients is relating cyber to other risks that we’ve approached.”
Some examples are discussing the client’s home security system and segueing the conversation to cybersecurity. Another example could revolve around teenage drivers.
“They may have expectations of their children to protect their family car,” McGraw said. “Ask: ‘What other items do you expect your kids to be responsible for maintaining control and safety of?’ For example, bring up access to credit card information on their phones and computers. How do you expect them to protect the family in their management of the device or the information?
“Find issues they’re comfortable talking about and then turn it into a discussion where cyber might be involved. I think our industry is the best positioned to do what’s necessary to help families respond to this exposure. Many of my cohorts and peers probably don’t consider themselves to be technical experts, but think about your family clients—they’re not experts either. Talking about cyber is not just an obligation but a huge opportunity for agents.”
What are some of the current cyber threat trends affecting homeowners and families?
“In the last year alone, there were over 15 billion compromised records,” said David Derigiotis, senior vice president and national practice leader for professional and cyber insurance at Burns & Wilcox. “Every single time we communicate electronically, a little digital trail is left behind, a little bit more information is accessed, and it’s shared. It’s compromised again and again. Maybe it’s our date of birth or our email address or passwords; it’s all out there.”
“We hear about data breaches so often that it’s almost become the car alarm that’s going off in the background that no one pays attention to anymore,” added Gatewood.
“It’s nearly 100% certain that your information is out there,” said Derigiotis. “It’s likely the third certainty in life: You have death and taxes and you have data breaches that are going to lead to identity theft and fraud.
“A lot of the information ends up on the Dark Web, an area of the internet that is not indexed by search engines and requires specific software to access,” he added.
The Dark Web can be accessed through a browser called Tor—the onion router—which uses an anonymous and encrypted format with numerous connection points “so it’s done with privacy in mind,” Derigiotis said. The Dark Web is commonly known for illicit activities such as selling firearms and drugs, hiring someone to carry out an illegal task, or accessing compromised information.
A common practice that leads to compromised data is individuals using the same log-in information across multiple platforms.
“So many people use the same email address and password for the different services they’re accessing, and even if they use a different password, chances are they’re using that same email address that’s been involved in data breach after data breach,” Derigiotis said.
Criminals at work
What can cybercriminals do once they’ve gained access to your email address?
“If somebody gets access to your email account, they’ll be able to unlock so many areas of your digital life,” Derigiotis said. “They may not need to know the password to get into your bank account, but if they have access to your email, they can look at your correspondence. They can intercept a password reset code and from there be able to log in.
“That’s the problem with using one email address for so many different things. That email account is critical to your online identity and your online life.”
Derigiotis recommends using different email addresses for different kinds of services, e.g., one address for financial institutions, one for social media accounts, and so on. That way if you receive an email from your bank in your inbox for the email address you use for social media, you should know that the message is fraudulent because your banking institution wouldn’t have that email address.
If you use one primary email address, think about the number of websites it is used for. Do you use the same one for social media and fast food ordering as you do for bank accounts and investments? Do you save your credit card information on websites from which you purchase products?
“So many different carding forums on the Dark Web are selling your credit card information right now,” Derigiotis said. “Ten cards can be available from $100 to $500. It’s very inexpensive overall, and it’s very sophisticated.
“These services are so sophisticated that along with the credit card information they’re selling the proxy information, so it can look like the criminals are logging in from wherever it is that the cardholder resides. Cybercriminals are looking to take advantage of a variety of vulnerabilities, and they piece all these things together to get a full puzzle.”
Sometimes only a few pieces of the puzzle are needed to create a fraudulent identity.
“Maybe they’re taking one person’s first and last name and using someone else’s date of birth and Social Security number to create an ID,” Derigiotis said. “This implicates two people and gets them both tangled up.”
Gatewood shared that four employees at his office of about 300 people had experienced some kind of cyberattack within the past year.
“Two of them had unemployment benefits fraudulently taken out in their name, another one lost $12,000 that was transferred out of their bank account into another bank account that was quickly closed thereafter, and one employee got a call from a finance company wanting to know when he was going to start making payments on the two Mercedes he purchased, which he had no clue was done in his name,” he said.
An increased cybersecurity concern as a result of the COVID-19 pandemic is Wi-Fi network security, especially with more people working remotely.
“We’re using all of these connected devices that are set up on a wireless network, and if you don’t properly secure, protect, or anonymize your Wi-Fi, you could be exposing your entire network,” Derigiotis said. “If criminals know where to look, they can view different streets and specific home addresses to see if they are broadcasting a Wi-Fi signal.”
This process called war driving involves downloading an app to one’s phone and then driving around neighborhoods or places of business to steal their data.
“As they drive, the software on their phone is collecting all of the different Wi-Fi information emanating from all of these buildings and residences,” said Derigiotis. “Criminals can collect this Wi-Fi data on hundreds of thousands of residents and businesses, and they can upload and share this information to a specific website.”
Someone can then log into that site, look up a specific address and see if somebody has driven by and shared its Wi-Fi information. Cybercriminals can also discover which networks are operating with an outdated form of encryption on the same site.
“They have somebody’s specific Wi-Fi name and the latitude and longitude,” Derigiotis said. “They can put that into Google Maps and pull up the exact address of that individual. And knowing that the household is operating with out-of-date security, they could simply pull up in front of that house and access their network directly. They would be able to see every single device that’s on the home network and would be able to reroute any of the traffic.
“You need to be mindful about naming your Wi-Fi network,” he added. “If you use your family name, you’ve given up some privacy. Are you simply using the out-of-the-box router without changing the username and password?
“Some people want to get their internet set up quickly. The Wi-Fi name might be Linksys or NetGear. What they’re doing is broadcasting the specific manufacturer or router they’re using. A Google search can give cyber- criminals the default username and log-in for a NetGear router. Without changing anything, you’re giving somebody the digital keys to your entire home,” Derigiotis said.
“People probably don’t realize that the biggest day in their cyber world exposure is the day their internet provider installed Wi-Fi in their house,” Gatewood added.
An additional method for cyber- criminals to obtain information is through videoconferencing networks.
“With a simple Google search, cybercriminals are able to pull up publicly available Zoom meetings—whether or not they were intended to be public,” Derigiotis said. “We hear about Zoom bombing—people coming into classes, creating havoc, and disturbing the entire learning environment for children. This also happens in business settings, where people are listening passively to important discussions, or even at the government level. When you share these Zoom links in a public fashion, somebody may be looking for them.”
What can you do to make it more difficult for cybercriminals to gain access toy our information? The session participants shared five tips.
- Place a credit freeze with each of the credit bureaus. “A freeze will prevent anybody from taking out a line of credit without your permission,” said Gatewood. “Even with a freeze on your credit, insurance scoring can go through, due to new legislation that’s been put in place.”
- Use a password manager. “A lot of them are free, and just because they’re free doesn’t mean they’re not good,” said Gatewood. Derigiotis shared LastPass and Bitwarden as examples of vendors that provide free services. KeePassXC can be downloaded directly to your local computer and not even touch the internet.
- Perform software updates regularly. Keep all products updated with security software. This one’s easy enough.
- Revisit the router; no default username/passwords. “Change your router name from time to time and make sure your passwords are new and fresh,” Gatewood said.
- Use multifactor authentication (MFA) as an added layer of security. “Before you’re allowed to go into a website, they will call, text or email you a code; it’s a second layer of security that a lot of financial institutions use,” Gatewood said. Derigiotis suggested Authy and YubiKey as tools for two-factor authentication. “Having some kind of second factor is critical, because if cyber criminals can’t get into your account, they’re just going to move on to the next person,” he said.
Collaborating with Node International, a London-based MGA, Burns & Wilcox is assisting its clients on the cybersecurity front with its recently launched Cyberman365 tool.
“It’s full, proactive protection for the digital well-being of your family and your home network,” said Derigiotis. “It’s not a traditional insurance product. It takes a look through the Dark Web, monitors social media accounts, looks for registered sex offenders in your area, and offers counseling services and full power of attorney for professionals who help get you out of any kind of fraud or identity theft entanglement that you may be experiencing.
“On the home protection side, it monitors your network and ensures that all of your devices are protected and up to date and that nobody from the outside is getting in.”
While all this may seem a bit intimidating, there’s no need to panic.
“These kinds of changes do not need to be done overnight. They are things that you can slowly start implementing to make yourself a bit more secure,” Derigiotis said. “You don’t need to go out instantly and get that password manager and remove all of your information from data brokers and freeze your credit and look to see where you’ve been compromised.
“Take baby steps. Implementing just a few of these will make you a much harder target,” he concluded.
For more information:
Burns & Wilcox
Mechelsen Private Client
Private Risk Management Association