Cyber crime in focus but risk management and insurance solutions inadequate
A string of high profile cyber attacks at corporate and government entities has exposed the difficulties in combating criminally and politically motivated cyber crime, according to speakers at a Jardine Lloyd Thompson seminar in London entitled Privacy Network Security and CBI—is it crunch time?
High profile attacks such as those affecting Sony, Epsilon, Google, the US government and the French Finance Ministry illustrate failings in companies security, risk management plans and insurance solutions, they said.
In the case of Sony, which had to shut down its online entertainment and gaming networks, the personal details of over 100 million customers were stolen. The company has said the recent data breaches will cost its shareholders $170m, but some speculate the final bill will be much higher. It could be as high as $2bn, according to some estimates.
hide
Sony will face losses on two fronts—from litigation and from regulatory investigations, said Garbhan Shanks, Managing Associate at law firm Addleshaw Goddard. Speaking at the JLT event he said that there have already been purported class actions filed in the US and Canada. Sony is also likely to face costly regulatory investigations around the globe, which will result in legal costs and fines, he said.
A major cost driver of data theft includes the notification to customers that their personal data has been compromised—a regulatory requirement in countries like the US and in Europe. “Sony failed on the basic minimum requirement and did not encrypt customers’ personal data,” said Mr Shanks. “It will now suffer the consequences of being below the required minimum standards of care.”
The company also waited ten days after the breach before notifying customers, which could result in greater damages if it comes to litigation, he added.
Sony is thought to have purchased £40m of cyber insurance cover from Lloyd’s insurers Hiscox and Beazley, although sub-limits restrict the scope of notification cover. With potential costs from the breaches speculated to be as high as $2bn, it appears Sony bought inadequate limits of insurance, said Mr Shanks.
There is demand and capacity for cyber insurance that covers data breaches, he said. However limits purchased are not adequate and with relatively low premiums, companies should consider buying higher limits, he said.
Limits for privacy cover currently offered by insurers are not high enough to cover a €200m loss, and are rarely above €50m, said Peter Hacker, Head of the Communications and Technology Practice at JLT Specialty Ltd. Data breach claims are increasing with frequency and severity and some insurers have responded by reducing limits, he said.
This year’s spate of high profile data breaches has pushed cyber risk to the top of the corporate agenda, said Mr Shanks. “Cyber attacks can have a massive effect on a business and it has been shown that it can happen to almost anyone—governments and companies all have an exposure.”
Companies are beginning to now focus on their legal liabilities as they realise that their computer security systems will not give them 100% protection, said Mr Shanks. “They now accept they are likely to be hacked so they are now shifting their thinking to what one can do to mitigate those risks and reduce impact on the business.”
However, data protection legislation tends to lag behind the pace of technology, said Mr Shanks. The EU is currently reviewing the Data Protection Directive and is expected to introduce greater rights for consumers, higher fines and more responsibility for companies.
The UK’s Information Commissioner’s Office—which recently raised its cap on fines to £500,000—requires encryption software to be used for personal data. Companies are required to show that they have taken reasonable steps to protect personal data.
Companies need to assess their systems to make sure that they are up to speed and make reasonable efforts to protect data because they will not be 100% sure they can stop hackers.
Despite widely held misconceptions to the contrary, most high profile hacks exploit known vulnerabilities in software, out of date applications and human weakness, according to another speaker at the seminar.
There is a misconception that zero-day attacks, which exploit software vulnerabilities that are unknown to the software developers, are the engines of online crime, said Rik Ferguson, Director of Security Research and Communication at Trend Micro. Indeed many recent security breaches, including those at Sony and Epsilon, exploited known vulnerabilities, he added.
Sony says it was attacked by a vigilante group known as Anonymous that sympathised with a hacker the Japanese company was taking to court—although the hacktivist group denies this. The hackers were able to exploit vulnerabilities in an out of date version of a web server application, said Mr Ferguson. Sony also failed to encrypt the personal data, he said.
There are some 3,500 known vulnerabilities in widely used operating systems and applications, said Mr Ferguson. This is a worryingly high number, but is gradually decreasing as software developers release products with less vulnerabilities, he said.
Hackers and malware writers exploit vulnerabilities in software to gain access and control computers and networks—for example by making them reveal passwords or give access to confidential information.
Typically malware developers target common software packages, in particular popular applications that operate across platforms.
“The perception is that the largest number of vulnerabilities are in operating systems and browsers [like Microsoft Windows and Explorer] but they are in fact low compared with other systems,” said Mr Ferguson. “Applications like Adobe Acrobat, Java, Flash Player and QuickTime have a long and inglorious history of attacks because they are not securely coded,” he said.
Malware developers and criminals are not likely to look for zero-day vulnerabilities, because this takes a lot of time and effort. Instead they are able to exploit known vulnerabilities because people do not update their software as often as they should, said Mr Ferguson.
“There is so much low hanging fruit with known vulnerabilities in software and social engineering, criminals do not need to go looking,” he said.
When software developers spot a vulnerability in their products they issue updates or patches, which unfortunately attract the attention of criminals. The vulnerability window—the time between the patch being released and malware developers identifying and then exploiting the vulnerability—has come down from a week in 2005 to a matter of hours.
“There is a misconception that once a patch is released the problem is solved,” said Mr Ferguson. “But in fact companies are more at risk because the vulnerability becomes exploited.”
Computer hacking has become big business for organised crime gangs over the past decade, said Mr Ferguson. “The cyber crime industry now mirrors the world of business,” he said.
Criminals can purchase malware or hire botnets—computers that are remotely controlled for malicious purposes such as sending out spam or performing denial of service attacks. They can even buy easy to use ‘attack kits’, said Mr Ferguson. “The entry barrier to the world of cyber crime has disappeared.”
Almost all serious data breaches start with social engineering—where a company’s staff are tricked into giving up passwords or allowing access to their computers, said Mr Ferguson. For example an employee may be coerced or fooled into opening a file or clicking on a link in a credible-looking email, which in turn gives the hacker access to the network.
Criminals also exploit vulnerabilities in ‘drive by exploits’ that use websites to infect computers, he said.