A massive Distributed Denial of Service (DDoS) internet attack on Oct. 21 that caused continued outages and network congestion for more than 1,000 websites to include Twitter, Netflix, the New York Times, Amazon and others got the world’s attention.
Hopefully it has yours. Especially if you’re a business owner, or involved in a risk management strategy for a business, because it signals we’ve entered a new cyberworld and we all had better be paying attention.
In the words of Aldous Huxley, writing in Brave New World, “Facts do not cease to exist because they are ignored.”
There had long been chatter about the potential to harness the Internet of Things (IoT) for subversive purposes by cyber criminals, though often downplayed, such as by the Center for Strategic and International Studies that wrote in a February 2016 report that the “benefits of IoT outweigh the potential for harm, and one risk usually not considered is that premature or overreaching measures for security or privacy will stifle economic growth and innovation.”
But the scale and coordination of the attacks on Dyn, a New Hampshire-based internet infrastructure company that provides essential technology services to clients, was unprecedented. And there’s sure to be more to come.
Forescout Technologies, a security company, predicts that by 2018, two-thirds of enterprises will experience IoT security breaches. Already, an estimated 65 percent of enterprises have actively deployed IoT technologies as of June 2016, according to Forescout.
Among the IoT devices that can be hacked with disastrous, disruptive and damaging consequences:
—IP-connected security systems;
—IP-connected infrastructure climate control energy meters;
—Smart video conferencing systems;
—Voice Over Internet Protocol phones;
According to Forescout, these IoT devices help organizations run faster and more efficiently, but there’s been little regard to their security risk. Security is almost always sacrificed even though it’s an open door for hackers.
Brian Krebs, a highly respected security blogger at krebsonsecurity.com, has reported that the Oct. 21 DDoS attack was launched by a botnet using open-source Mirai-based malware that hacked into IoT devices such as digital video recorders (DVRs) and IP cameras manufactured by a Chinese company.
Krebs also is reporting that Sen. Mark Warner (D-Va.) of the Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure IoT devices, such as the network of hacked security cameras and digital video recorders that were compromised in the Oct. 21 massive attack.
Warner has written letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), in which he calls the proliferation of insecure IoT devices a threat to the resiliency of the internet. “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”
Warner isn’t finished. He continues, “Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a `tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur.”
A 2014 survey by Kaspersky Labs found that DDoS attacks cost large businesses an average of $444,000 in lost revenue and subsequent IT spending, while small- to mid-size businesses can lose $52,000 per incident. And that was two years ago. What’s the price tag today? Is your company prepared for those types of losses?
The study found that almost 5 percent of firms that include IT/technology, e-commerce, telecommunications, media, construction/engineering and finance had suffered DDoS attacks that year. And the threat is only increasing.
It is absolutely essential that a cyber risk insurance policy meet the needs of the business. From an insurance perspective, a Captive is an excellent option and can be set up as cyber-specific, or add multiple coverage lines to an existing insurance policy. At a minimum, however, businesses should consider conducting a third-party review of their current security posture to minimize their exposure to damages from the inevitable cyber incident.