THE ECONOMIC BLUEPRINT: Social engineering - new cyber or been here before?

(This week, Kyle Zwiren welcomes guest columnist Ari Dolgin.)

Autonomous cars, drones, artificial intelligence, the cloud, Internet of Things, 3D printing, augmented reality -- the world is becoming connected at an ever-increasing rate and the implications for security, privacy, and legal can't be overstated.

Just last week, I was flipping through my streaming TV app, when I came across a classic of all classics, "What About Bob?" Without hesitation, I mic-dropped the remote, ratcheted the lever back on the recliner, and immediately was thrust into the world of the 90s.

While 30 years ago seems a distant past compared to the digital age of today, many of the same security exposures we currently face were prevalent back then as well, especially social engineering, or tricking someone into willfully divulging information or making a payment to a fraudulent account.

Let's take a closer look at "What About Bob?" In the movie, Dr. Marvin, the psychiatrist played by Richard Dreyfus, plans a vacation with his family to Lake Winnipesaukee and tells his call center to block all incoming calls and not to give out his vacation address. Just like many of us today, Dr. Marvin was making a concerted effort to conceal his location and protect his privacy.

Unfortunately, Dr. Marvin didn't plan on his neurotic and phobia-ridden patient, Bob Wiley, using a bit of social engineering (aka trickery) to track him down. Bob, played by Bill Murray, first contacts the call center and is denied access to Dr. Marvin, just as any good firewall would provide an initial layer of protection to a network. He then shows up disguised as a detective, stating Bob Wiley had suddenly passed. And with that, Bob was able to acquire Dr. Marvin's address and surprise him on vacation.

That technique of social engineering, or tricking someone into willfully divulging information such as credentials or personal data, is the most common starting point of all cyber incidents, according to Chubb's Cyber Index. The bad actors not only look for passwords and personal information they can leverage, but often times they intercept invoices from third party vendors, change the routing number, and then forward the invoice along to its destination. The unassuming recipient may pay the invoice as usual, to the new account, only to find out later that it was fraudulent.

A robust cyber insurance policy with social engineering coverage typically covers payments to fraudulent accounts, however, there may be a special sublimit for this coverage. One way to reduce this type of risk is to use a second method of communication to confirm every outbound payment. While you might think this is overkill for certain scenarios, it will likely save you money in the long run and may even be a requirement in your cyber insurance policy.

If this seems overwhelming, not to worry, lean on the experts. A big part of what I do as an insurance broker, is help organizations understand their true exposures and provide best practices to keep them resilient. Gallagher CORE360 is our unique comprehensive approach of evaluating risk management programs across six cost drivers of the total cost of risk, including coverage gaps, contractual liability, and loss prevention programs. We consult with organizations to understand all of their actual and potential costs, and offer strategic options to reallocate these costs.

In many industries and across businesses of all sizes, there is a constant undertone of opposing forces when it comes to convenience versus privacy and security. It will be up to your organization, your broker, and trusted advisors to determine your ideal risk posture and then build systems around it. That could include creating a more effective process to confirm payments, how to best restrict access to information, establishing and testing an incident response plan, etc.

In the face of the digital avalanche rumbling towards us, we might want to take a page out of Dr. Marvin's fictional in-movie book, "Baby Steps," and consider integrating at a slower, more manageable pace, to truly address the actual and potential exposures. Regardless of the speed at which your organization embraces new technologies, it's a good idea to consult with your broker on the total cost of risk. With a deep cyber expertise and extensive resources at Gallagher, I am here to help.

--------

Ari Dolgin is a senior account executive at Gallagher. He can be reached via email at Ari_Dolgin@ajg.com.

Attorney Kyle Zwiren works with Financial Architects Inc., an independently-owned company located in Farmington Hills. Zwiren and his team serve attorneys and other professionals to help them design financial plans in line with their goals and based on optimal efficiency. He practiced law prior to becoming a Financial Architect and left the practice to follow his passion. To talk to Zwiren about other topics featured in The Economic Blueprint, email him at kzwiren@financialarch.com or call him at 248-482-3622.

Published: Fri, Mar 27, 2020