Corkill Blog

Corkill stays on top of insurance trends and your industry

While our insurance products may not change weekly, coverage options and legislation that impacts your policies can. That’s why we’re committed to bringing you relevant information on what’s going on in our world so you can make your world the best it can be.  You can also check out our News and Events for upcoming webinars, Corkill related news and more. 

Cybersecurity for Fire Protection Districts

Mitch Backes
July 13, 2018

When hearing of data breaches in the news, most people think of big corporations such as Target, Chase & Equifax. Large companies with sensitive information have been targets of cybercriminals for years. Many have heard in more recent years that smaller companies have become the victims of a data breach as well. Some wonder whether Fire Protection Districts are, or will be, targets of a potential data breach.

Insurers have been offering insurance policies that protect against data breach for many years. “Cyber Liability” protection became available as a standard option for Fire Protection Districts around five years ago. Discussion of the data breach coverage often begs the question, “Is this additional protection necessary for a Fire Protection District?” Until recently I didn’t have a good answer to that question.

In March of this year, the Fire Chief of a local Fire Protection District called me in the early evening and stated that multiple people in the department had received emails containing personal information with links to click. Some people had clicked on the links. It was immediately noticeable once the hyperlinks had been clicked that their computer network was acting differently, and it seemed entirely possible that files were being taken from their server. Understandably everyone was concerned. The Fire Chief’s questions to me were, “What do we do?” and “Do we have coverage for this?” They had purchased Cyber Liability coverage, and their insurer was instrumental in engineering the response to the breach.

Pre-Breach Conditions

Before the breach occurred the administration of the District felt quite comfortable with the protection that was in place. They were spending money and trying to provide protection. The following protections were in place:

  • In-house Tech Services Manager

  • Outside tech consulting agency – used for larger projects on an as-needed basis.

  • Junk mail filter

  • Password protected computers

  • Firewall

I mention these things because when the topic of breach protection comes up, many people tell me they are taking similar measures and feel quite comfortable with the effort that is being given. Unfortunately, even if these things are in place, it doesn’t mean a breach won’t occur.

Anatomy of the Breach

The forensic investigation of this breach uncovered that the attack on the District had been aided by a previous breach of one of their vendors that stored personal information of District employees. The previously breached personal information was used in the emails to District employees, which made them feel more comfortable clicking the links in the email. Once these links had been clicked, files were installed on the District server. Some of the files were key-tracker viruses that would allow the hackers to see passwords as they were typed into computers. Other files were not to become active until a later time but ultimately would help the hackers steal more information.

The Breach Consultant

  • As soon as the claim was made, the insurer hired a breach consultant. The consultant directs the entire response and is responsible for the following:
    Forensic investigation – a thorough investigation of how the breach occurred, what info was taken, what was installed from foreign sources, and what could have prevented the breach.
  • Verification of all files – everything is removed from the server, “cleaned”, and replaced.

  • Notification – various laws require notification of anyone who potentially has been affected by the breach. In many cases, these letters must be sent by certified mail. 

  • Credit Monitoring/Protection – this protection provides peace of mind to the affected individuals, but it also reduces the potential liability. If the credit monitoring can prevent the breached information from being used nefariously, there are fewer damages involved in a potential lawsuit.

Post Breach Changes

This District is now concerned with reducing their risk of a future breach. They have taken several steps to increase cybersecurity:

  • Junk mail filter – A filter was in place before the breach, but it wasn’t providing adequate protection. The sensitivity had been set very low. The sensitivity of the filter is now much higher. Users must check their filtered mail each day to see if something was caught that should not have been. The District acknowledges that this is less convenient for users, but a conscious trade-off is being made to increase security at the expense of convenience.

  • Passwords – Passwords are now required to be more complex and changed at regular intervals. Again, less convenient, but necessary.

    Network remote access – The District previously allowed people to access the network from home or other places. This practice has been eliminated to control access to the network better.

  • Password protecting documents - Files with personal information that are kept on the District network are also now password protected. This practice adds another layer of security. Even if a hacker accesses the network, they may not be able to access the sensitive information in the files.

  • Firewall update – The firewall that was in place when the breach occurred was not substandard, but there were more modern, more powerful versions available. In fact, at this District, the Tech Services Manager had suggested the District may want to upgrade the firewall (pre-breach). This upgrade was on the list of projects to complete, but it was not their highest priority. After the breach occurred, upgrading the firewall was one of the first changes that were made.

  • Employee training – An outside firm was hired to provide training to all employees on best practices for computer usage and breach warning signs. Now everyone is more knowledgeable about how to prevent breaches in the future.

Use of technology and the associated risks are part of today’s workplace. Cybercriminals continue to change the tactics they use to attack. Sharing of information between Districts regarding breaches and protection strategies is important to increase awareness. Additionally, I recommend you contact your insurance agent to discuss the level of protection provided by your current insurance policies.

Published in the Summer 2018 issue of FireGuard by the Northern Illinois Alliance of Fire Protection Districts (NIAFPD)