Still hitting the snooze button?
8 motivating reasons to heed cyber security wake-up calls
From the pages of In Business magazine.
With all the press coverage about computer network system breaches and the associated damage to business finances and brands, one would think cyber security would have top-of-mind awareness in the boardroom. Yet that’s still not always the case, and it’s one of several reasons why cyber criminals are more active than ever.
Business boards and members of the C-suite are bombarded with conflicting messages from regulators and the marketplace, but the reality is there’s a cyber war going on and it’s serious. It’s gotten to the point where hackers hold business organizations for ransom, especially those who have left themselves vulnerable.
Bob Turner, chief security officer for the University of Wisconsin–Madison, has argued that people in his position must make their pitch for technology investments based on the need to manage risk. “A lot of it is due to the fact they [business boards] are just not informed,” Turner laments. “It’s hard to articulate it as an age thing or an experience thing, but a lot of them haven’t necessarily been that close to the IT operation in the last 15 or 20 years.”
If they had been, Turner suggests they would understand the threat posed by the constant volume of cyber attackers probing the enterprise to find a way in.
While technologists struggle to make the case, things are changing on the insurance side, where cyber liability coverage can help mitigate the damage.
Derek Laczniak, an account executive with M3 Insurance Solutions Inc. in Madison, not only sells cyber liability coverage but also blogs on the topic. “Cyber liability and cyber security is definitely a C-level problem and it hasn’t been as high a priority as it should have been, but I’ve actually seen that the [insurance] trend is moving in the right direction. You see executives taking a closer look.”
For the remaining holdouts, we offer eight motivations to take cyber liability seriously and consider insurance coverage tailored to the unique needs of their business and industry.
1. Barrage of breaches
Computer hackers are relentless. There are roughly 35,000 known computer penetration incidents per day, according to the annual Symantec Internet Security Threat report. While it’s not clear how many of them resulted in the theft of personal information, the sheer volume of known breaches should be enough to get the attention of individual consumers, businesses, and academic institutions.
The hackers go after big game and small beer. Ben Shortreed, executive vice president of AVID Risk Solutions, notes the National Security Agency data center in Utah experiences upwards of 300,000 hacking attempts per day for the nation’s most sensitive information. “I would imagine,” he adds, “that they have the best security protocols in place.”
2. Sophisticated swipers
Unfortunately hackers are getting better at their nefarious craft. Despite a relatively flat number of domestic data breaches reported in 2015, Laczniak notes the number of impacted records nearly doubled. Information available from cyber insurance carriers suggests that actual insurance claims reported to carriers increased 50% in 2015, and 2016 will bring even more activity “from a variety of threat sources,” he adds.
The growing threat is one of the reasons it’s common for insurance carriers to review a potential client’s information technology security before any underwriting is done. Insight into network security typically is obtained through an application that “gathers information and asks a lot of control questions,” Laczniak says. “Depending on what application you use, and there are many, and depending on what carrier you’re going with, and there are many, we can have a lot of different views of the strength of controls and the perceived risk that your company has.”
3. Proliferation perils
According to the research firm Gartner Inc., the number of connected devices is expected to increase from 4.9 billion in 2015 to 25 billion in 2020. Without strong password protection the explosion of mobile data traffic would provide a content-rich environment for cyber crooks.
It’s already happening in what cyber experts call a new frontier for criminals. Malicious software can be disguised as a photo or audio clip and once a consumer clicks on them the “mobile malware” is installed in their device, allowing hackers to remotely control it. “You can almost go anywhere and see mobile devices, which could be lost or compromised, that may contain sensitive emails, access to client management systems, health records — you name it,” Shortreed says. “The 128 gigabyte USB devices are available for $30, which could carry tens of thousands of sensitive documents to be leaked or lost.”
4. Ransom rascals
Typically, ransomware is deployed through phishing attacks and therefore can be activated by any employee of an organization. The convincing nature of phishing attacks is a key reason why Laczniak characterizes ransomware as “user-friendly.” On a variety of levels, these attacks are also very damaging to businesses — just ask Hollywood Presbyterian Medical Center. The Los Angeles hospital recently paid hackers $17,000 to regain control of its computers, which were hacked with a malicious code that’s capable of locking entire computer networks. The hospital was left with no choice after it was relegated to the untenable situation of using pencils, fax machines, and paper in an era where patient data is contained in electronic medical records.
Organizations that fail to frequently back up critical files (on an hourly basis, if possible), or fail to provide special employee training on how to spot a phishing email and use credible security technology to check the authenticity of all emails, including any embedded files or links, leave themselves vulnerable to having ransomware installed in their system.
(Continued)
5. Shareholder shake-ups
Organizational stakeholders (and regulatory bodies) increasingly are holding business leaders accountable for breaches of privacy due to negligence, Laczniak notes. “The reality is, and what you’re seeing on the national scope, that boards of directors and executives of large, publicly traded companies are facing shareholder litigation based on the failure to take security seriously when there is a breach,” he states.
Laczniak cites a longstanding case involving the Wyndham Worldwide hotel chain, which had multiple data breaches over the course of a year, resulting in legal action by frustrated shareholders. “The shareholders of Wyndham Worldwide Corp. said, ‘Look, this is bogus. How is it possible that we had one massive data breach and then we had another one? At what point is our leadership not taking this seriously?’ They actually filed what is called a directors and officers shareholder derivative suit, meaning they are saying, ‘Yes mister CEO, yes mister president, yes mister whoever is on the board, you’re tasked with providing the overall direction and enterprise risk management for this organization and you failed to do so. You were negligent.’”
In all there were three breaches between April 2008 and January 2010 in which cyber criminals obtained the personal data of more than 600,000 customers. While Wyndham prevailed in the shareholder derivative suit, the Federal Trade Commission also filed an action and reached a settlement with the corporation in December 2015.
With cyber liability becoming a directors and officers’ issue, businesses must “dovetail their insurance policies to reflect that,” Laczniak adds. Not all directors and officers policies will automatically provide cover for claims alleging breach of duty related to data security, so coverage should be reviewed with a knowledgeable professional for coverage limitations and potential “carve back” for cyber security claims.
As Laczniak explains, a carve back is like “granting” coverage; many “D&O” policies will exclude coverage for cyber incidents while others will carve back the coverage. It may be deleted but then it’s endorsed to add back the coverage.
When it comes to breaches, college students are as upset as corporate shareholders. UW–Madison’s Turner noted an increasing number of attacks against college computer systems, and the University of Central Florida suffered the latest known breach. Faculty and student Social Security numbers got out and several of the 63,000 victims filed a lawsuit against the university in federal court, claiming it was negligent in protecting their data. Turner noted that FERPA, the Family Educational Rights and Privacy Act, is the federal law that regulates student data and the UCF breach is a potential violation of that law.
6. Varied vulnerability
Computing advances and increased utilization, dependency, and accessibility of technology have created risks to the business climate that were relatively unheard of 10 years ago, Shortreed notes, and that cuts across businesses of varying sizes. “No company of any size is completely safe from a data breach,” he states. “We’ve transitioned from a bricks-and-mortars society to clicks and orders.”
This reality hasn’t put a sizeable dent in the small business belief that cyber security is a concern of large enterprises. Small business operators generally don’t view themselves as targets in the same way a Heartland Payment Systems or a Kaiser Permanente have to, Shortreed says. “They kind of have the mentality that it’s not going to happen to us, where realistically the odds of somebody at least trying to breach their system are high,” he states. “In truth nobody can escape it, individuals or businesses.”
The aforementioned shareholder lawsuits involve publicly traded companies, but Laczniak notes that insurers often see litigation trends start at the publicly traded side before moving downstream to the private sector.
For small businesses, the good news is the premium price for cyber liability coverage is becoming less of a barrier. “The other thing about smaller clients in general is that because our cyber liability marketplace is so competitive right now, they are able to get coverage at very reasonable terms and prices,” states Laczniak.
7. Cost certainty
The financial consequences of a data breach include the need to notify affected customers, the need to invest in identity monitoring for breach victims, the hiring of forensic specialists, attorneys, and public relations experts, the necessity of fraud protection insurance, and the installation of preventive (and perhaps diagnostic) technology tools.
“These are guaranteed costs that you have as the result of a data breach, and you need to be able to match your coverage limits accordingly,” Laczniak says.
In assessing your cyber security risk, he cautions against discounting the cost to defend and settle a potential third-party lawsuit. Companies with a public brand face increased potential for litigation due to what he calls the increased “allure of class action litigation by plaintiff attorneys.”
In terms of coverage structure, an organization that has protected health information data might be more worried about protection for defense and settlement costs, whereas a company that doesn’t have as much PHI but has critical proprietary information will want to insure for the aftermath of a breach more so than settlement and defense.
“The first thing you always have to think about is how am I matching my limit needs with my exposure?” Laczniak states.
Subsequent insurance claims are hardly trivial. Cyber security experts from Travelers Insurance have developed cyber claims scenarios in five industries: retail, health care, technology, finance, and manufacturing. As reported by PropertyCasualty360.com, which covers the insurance industry, the claims costs can quickly add up.
In one scenario involving a community bank with $350 million in assets, hackers launched a distributed denial-of-service (DDoS) attack to the bank’s website as a smoke screen to hack into its network, succeeding in shutting down its online banking function for several days. According to Travelers’ estimate, the combined incident investigation costs, customer notification and crisis management costs, and fines and penalties amounted to $799,000. This does not include the loss of business income the bank would likely suffer.
8. Employee error
Perhaps the most frustrating thing about cyber liability is that most breaches are still the result of employee error. Even companies that have done extensive training of employees and then run an attack simulation have found that 25% to 30% of their employees still take the bait in a phishing email.
This argues for consistent training of new and existing employees and it’s something prospective insurers will likely ask about on their insurance applications. New employees must understand the rules of behavior, the security controls they are responsible for, and the acceptable use of information technology assets. Existing employees require periodic training to either update in case something has changed in the network or become aware of new threats.
“We see a lot of phishing attacks, especially in higher education over the last 12 to 14 months,” Turner notes. “Not only is there more of it, it’s getting more sophisticated so the users need to understand that and have that periodic training. The other thing is to make sure they have training that is really specific to their role.”
Such training is part of a concept known as user-based enforcement of common security controls, Turner explains. Organizations try to educate employees to a level where they understand how simple mistakes can lead to a breach. “Take something as simple as a password. You have to understand the need to change your password on a frequent basis, and it has to have a certain level of instruction in order to be effective or it’s just a passkey,” Turner explains. “If your users don’t understand that, they are not going to change their passwords and they are going to construct them so they are so easy — easily guessed by educated attackers.”
Other user best practices include turning off laptops, tablets, and smartphones if they won’t be used for a prolonged period, which forces hackers to start all over. Encrypting at-risk data, including when it’s in transit, is an organizational control that can protect “classified” data such as personal identities, trade secrets, health care information, and patentable research.
Shortreed believes a certain fatalistic mindset is needed to protect the enterprise because hacking attempts are likely to happen at some point. “It’s not a matter of whether an attempt will be made to compromise an individual or a business,” he says. “Unfortunately it is likely a matter of when, and attempts to access information are likely to happen to a majority of us. That mentality doesn’t allow a business or individual to have lax security measures and to be careless.”
(Continued)
The cost of a cyber breach
Most businesses have been slow to address potential data breaches, but the cost of being hacked can add up quickly.
According to the Ponemon 2015 Cost of Data Breach Study, the average data security breach impacts 28,000 records and costs a business more than $3 million to remedy.
Even a smaller breach carries a hefty price tag. Suppose a physician employed by a nonprofit hospital leaves his work laptop in a restaurant. The laptop contained an unencrypted database of current patient records that included protected health information with the name, social security number, credit card, insurance ID, and limited medical information for 550 patients. The data was completely unsecured, as it did not contain remote take-down capabilities, nor was it password protected.
According to the NetDiligence Data Breach Cost Calculator, the estimated cost to the hospital could be:
| Incident Investigation Costs: | $180,000 |
| Customer Notification and Crisis Management Costs | $34,000 |
| Fines and Penalties | $167,000 |
| Total Costs | $381,000 |
To manage this risk, security experts suggest taking three actions:
- Implement procedures for using effective passwords and mandate periodic changes.
- Consider implementing security measures, including encrypting protected health information that may be stored on the laptops and having remote disabling capabilities.
- Consider storing protected health information on a central server and accessing the information via a secure connection.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.
