“Cyber” derived from “Cybernetic” which originated from a Greek word meaning “skilled in steering or governing”. Compare this to a modern derivative, that of “Cyber Terrorism” which Wikipedia defines as “the politically motivated use of computers and information technology to cause severe disruption or widespread fear”. Little could those ancient Greeks have imagined how their linguistic contribution could be turned into such a threat or how an online world could pose so many risks to so many. Sounds like good old fashioned scaremongering doesn’t it? Or so I thought, until I happened to attend an Insurance Institute of Ireland conference titled “Cyber Insurance – Understanding The Risks” and learned about the true nature of Cyber Crime in all it’s forms.
At the conference, a number of respected thought leaders in their respective fields spoke of how an increase in online activity by organisations globally has left many exposed to a variety of online threats including data breaches, hacking, financial fraud, ransoms and sheer unadulterated theft. With the rise in businesses transacting over the web, rather than the more traditional “brochure ware” sites, (which contain mostly static content) organisations are increasingly exposed to risks that heretofore were not conceived of. Businesses operating in any industry or sector are open to threat of an online attack simply by doing business online, as the Cyber criminal community actively seeks out routes with which they can obtain and access data and by simply not keeping up with the technology required to mitigate against this risk.
Apparently one of the leading methods of extorting cash from a business is to hack into the company’s website and run a “Distributed Denial of Service” (DDoS) attack resulting in the immobilisation of the website and demand cash for reinstatement. The advanced nature of these cyber attacks means that hackers now regard websites as potential cash cows on the basis that their information assets are valuable and can therefore be monetized.
Other methods of cyber attack, some of which I was loosely familiar with were mentioned and these included “phishing” (the attempt to acquire sensitive information, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication); “pharming” (pronounced ‘farming’ is a form of online fraud very similar to phishing as pharmers rely upon the same bogus websites and theft of confidential information); “vishing” (a telephone scam in an attempt to coerce the user into surrendering private information that will be used for identity theft); “spear phishing” (a more targeted form of “phishing” where an email that appears to be from an individual or business that you know, but isn’t, arrives in your inbox. Usually sent by criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC) & “trojan phishing” (a program that pretends to be legitimate software but, when launched will perform a harmful action.). There are several methods by which the criminal can potentially access your data and otherwise disrupt the normal flow of your business, either of which can result in costly, time consuming interruptions.
One of the biggest breaches in recent times was the 2014 JP Morgan Chase hack that is believed to have compromised data associated with over 83 million accounts including 76 million households (approximately two out of every three households in the USA) and 7 million small businesses. The data breach was considered one of the most serious intrusions into an American corporation’s information system and one of the largest data breaches in history. Another recent case, that of the “Carbanak” attack where a group of cyber criminals hacked into the banking systems of up to 100 banks, resulted in an unprecedented $1 Billion heist. As you can see Cyber Crime certainly pays and is big business for criminals with the potential to carry out polished and ever more intelligent attacks of this nature.
Sadly as one of the keynote speakers attested, in many cases of data and security breaches, police assistance after the event is ineffective, with many companies admitting that the assets stolen as a result of such hacking unlikely to ever be recovered. In an era where one is accustomed to media’s tendency to sensationalise the mundane and the ordinary, this is certainly a form of terrorism, except in this case it’s potential impact is more far reaching and thus increasingly occupies a large amount of insurers time as they attempt to quantify the risk it poses to any business. Slowly but surely organisations are recognising Cyber threats of this nature as the number one corporate risk management issue and are busy putting in place countermeasures to mitigate against this risk, if not totally eliminate it.
A particular challenge for many companies arises from the fact that not all forms of cyber crime originate externally. With so many people internally having significant levels of access to privileged accounts and private data, a number of recent attacks are believed to have been as a result of the misuse of said privileged accounts or their security being compromised. As a result, passwords and access management are critically sensitive security points for all companies, with many prioritising their “beefing up” on a regular basis as a matter of best practice. Unfortunately while many companies attempt to mitigate against these risks by educating staff at all levels on the necessary awareness required to ensure data integrity and information security, human error can and will find ways of bypassing these safeguards. Another of the mitigating actions being undertaken by organisations is a more rigorous approach to background checks on new hires, and indeed on existing staff, something that is also impacting the recruitment and hiring process for many firms. From a recruitment perspective, it’s simply no longer sufficient to provide a “strong reference” with background checks and credit referencing across a number of levels becoming the norm.
Other potential internal threats posed have arisen with the increased use of BYOD (Bring Your Own Device) within organisations – the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace and to use those devices to access privileged company information and applications. By their very nature, these devices carry a more portable threat to any firm and as a result require careful management and screening by IT and IS professionals. There is also a significant level of trust required to allow users to utilise personal devices in any working environment, which in itself poses it’s own risks.
In conclusion, I left the conference with the overriding impression that Cyber threats and data breaches are no longer a matter of “if” but “when” and in all cases prevention is significantly better than cure. Cyber Insurance cover can add a layer of comfort and provide some peace of mind to companies that otherwise may be exposed. With IT forensics after the event becoming very expensive very quickly, insurance of this type is not a luxury purchase, it’s an essential.
As companies online business activities continue to grow and evolve, the range of non traditional activities they engage in are increasingly leaving them open to new threats. With the traditional commercial liability policy no longer sufficient to allow for these diverse risks, the coverage provided by cyber insurance policies indemnifies companies against losses they may have otherwise incurred. The message for all of us operating online is very clear. A failure to safeguard our data, regularly update our software or audit our IT security measures can be seriously detrimental to business with the damage done from both an operational and reputational perspective potentially long lasting. For that reason alone, Cyber Insurance is a must have for any business wishing to protect itself from Cyber crime.
Campbell Rochford – Turning Good To Great
If you wish to find out more about Campbell Rochford’s recruitment activities in this space, please contact us via email, phone or LinkedIn.