Day: December 19, 2016

With eyeballs rolling, they mumble, “Why do security people insist on stopping our projects?”

As information security (IS) professionals, we have seen this response from project managers (PM), developers, and fill-in-your-favorite-role here, when we have derailed a project due to an unplanned InfoSec issue.

What is an InfoSec Professional to Do?
Police chiefs don’t lock our car doors, nor do CISOs read application teams’ code. Because InfoSec is a lifestyle, not an event, we need a security culture. It takes a village. After reading this post you will have three tips for infusing security habits into a village of project managers.

1. Make it easy. According to BJ Fogg, Ph.D., founder of Persuasive Tech Lab at Stanford University, we are basically lazy. Want to make IS easy (or at least easier) for non-InfoSec professionals? Think like Jeopardy!’s Alex Trebek and get the participants to “ask the question.”

Start with your written InfoSec policies and standards. Summarize one or two into a question and work with your Project Management Office (PMO) to include the questions in a new project checklist to provide guidance.

Examples:

• Building a mobile app? Refer to “Vulnerability Scan Standard.”;
• Outsourcing or working with third parties? Refer to “Outsourcing and Third Party Policy.”

2. Make it simple. Did you know that InfoSec training and experiences may yield Continuing Education Units (CEU) for certified project managers? For example, certified Project Management Professionals (PMP®s) may be eligible to earn CEUs if the InfoSec training meets the Project Management Institute’s criteria. Risk management is a knowledge and skills area for the institute, and PMPs need to recertify every three years. If you help PMP®s make that connection, it may mean reduced training costs and time, enhanced careers, and stronger InfoSec advocates; all factors in creating habits and a culture of village security.

3. Make it rewarding. Have a “Village Citizen of the Year” recognize her. Does a PM role model a good InfoSec practice? Take five minutes to recognize the specific behavior (example – uses PMO “New Project” checklist to identify new mobile apps that require vulnerability scans). Fogg identifies “pleasure” (think: positive recognition email to boss) as a core motivator for changing behaviors.

What Next? Start Small. It is as Easy as 1…2…3

1. Ask your PMO or individual PMs if a Jeopardy! approach would reduce project derailments and make InfoSec adoption easier. Then start with one question for the most frequently overlooked InfoSec standard or policy.
2. Have an upcoming InfoSec event or activity where InfoSec learning may occur? Include in your invite:  “Did you know that some InfoSec training may serve as CEU for certified or wannabe-certified project managers? Click PMI certifications to learn more.”
3. Add a five-minute invite to your calendar to “Recognize PM once a month.” Example: To: Boss, cc: PM; “Just wanted to recognize PM for role modeling fill-in-the-blank InfoSec practice or attitude! Our organization, teams, and customers are better because of it. Great job, PM!”

Sources: BJ Fogg, Ph.D.; PMI

Luanne Spiros, CISM, PMP

[ISACA Now Blog]

If one of your employees gets duped into transferring money or securities in a phishing scam, don’t expect your cyber insurance policy to cover it. And even your crime policy won’t cover it unless you purchase a specific social engineering endorsement. Many companies have learned the hard way and tried to sue their insurance carriers, with little luck.

Aqua Star, a New York seafood importer, expected to be covered after a spoofed email from a supplier drove an employee to change the supplier’s bank account, causing Aqua Star to wire more than $700,000 to a hacker instead of the supplier. Aqua Star has a crime policy through Travelers, which includes Computer Fraud coverage that applies to loss caused by the fraudulent entry of electronic data into any computer system owned, leased or operated by the insured. But when Aqua Star filed the claim, Travelers pointed out an exclusion if the data was entered by an authorized user. Aqua Star then sued Travelers, but the court agreed with Travelers, ruling that the employee was clearly an authorized user.

A similar phishing scam resulted in Apache Corp., an oil and gas producer, wiring $2.4 million to cybercriminals. It’s insurance company, Great American, denied the payout, so Apache went to district court and won. However, Great American appealed to a higher court, which reversed the decision, saying the bogus email didn’t directly cause the loss.

What commercial cyber insurance policies do cover
Cyber insurance policies cover losses that result from unauthorized data breaches or system failures. But they vary greatly in the details and exceptions. Most will cover forensic investigation fees, monetary losses caused by network downtime, data loss recovery fees, costs to notify affected parties and manage a crisis, legal expenses, and regulatory fines.

When it comes to ransomware, you need to look closely at the policy’s Cyber Extortion coverage. If it offers only third-party coverage, then ransomware isn’t covered.

Crime insurance policies cover losses that result from theft, fraud or deception. But as the Aqua Star and Apache examples illustrate, insurers typically deny coverage for social engineering fraud, claiming that the loss didn’t result from “direct” fraud. Insurers contend that the crime policy applies only if a cybercriminal penetrates the company’s computer system and illegally takes money out of company coffers.

Some crime policies also contain a “voluntary parting” exclusion that specifically bars social engineering claims by barring coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property.

Fishing for a solution? Add an endorsement
Many insurance companies offer a social engineering fraud endorsement, like this one from Chubb. It’s offered under a crime policy for a nominal additional premium. The coverage, sometimes referred to as an impersonation fraud or fraudulent instruction endorsement, is typically up to $250,000 per occurrence, with no annual aggregate, but higher limits are available for a higher premium.

The net lesson: a phishing endorsement is an easy fix to a potentially costly oversight.

Jeremy Zoss, Managing Editor, Code42

[Cloud Security Alliance Blog]