Nearly every day, there is always a news report about some kind of cyber security breach here in Australia or elsewhere in the world. It is fast becoming the modern way to commit a crime. In Australia, we should now be very concerned.
Cyber attacks, range from Malicious Software to denial of service and much more, increased in Australia by 45% in 2012 and has only accelerated further in 2013.
A new language comes with new risks
These types of Breaches are becoming quite varied and are starting to develop their own names such as “Hactivism” and “Cyberwar”. Well publicised protest type incidents.
Then there is “Cybercrime” involving theft and fraud. Most of us are well aware of these risks occurring internally and externally often targeting Financial Institutions.
“Malware” which stands for Malicious Software that is intended to damage or disable computers and computer systems, is constantly evolving and is staying ahead of the anti-virus applications as they can only be reactive programmes.
Then there are what are known as “Ransomware” attacks such as the one that occurred on a Byron Bay primary school who had its records encrypted by scammers who demanded a $5000 ransom. The attack is supposed to have emanated from Eastern Europe and first occurred in October 2012 and the damage from the incident lasted about two months.
They recovered most of their records by running a forensic probe on the affected hard disks but their previous month’s financial data and some historical photos of the school were unrecoverable. Staff at the small school initially agreed to pay the ransom but they negotiated to lower the ransom price which they subsequently dropped to $1235.
Then we heard about a Queensland medical practice that became a victim of a “ransomware” attack. The Miami Family Medical Centre on the Gold Coast suffered when international attackers who hack into systems, encrypt the data and then demand a ransom for sending a key to release it.
Then there is “Phishing” which is the use of fake email messages that claim to be from a company that you would normally trust, such as a bank or other financial organisation. The Phishing emails look so genuine using the same colours, logos just like you would expect a legitimate message from your bank to look. But if submit your information you will not be sending it to the real company, it will be sent to a criminal organisation who can then use that information to either withdraw money from your account or perform other acts such as identity theft.
Queensland Police also reported small businesses were being targeted in September 2012. They used an Australian Federal Police logo that popped up on infected systems and then demands payment of a fine.
Then there are scammers who ring small businesses and householders claiming to be either from Microsoft or Windows saying they have received error reports from their computers and offer to “fix up” and delete such errors which are nothing more than part of the regular operating system. If you allow them access into your machine, they are able to place spyware and access your data or cause other breaches.
Sophisticated attacks are targeting businesses with confidential financial or medical information and are demanding ransoms in the thousands. While this is actually happening in Australia now it could become much worse.
Hacking against prominent firms are taking place nearly every week. Credit card fraud and piracy on the Internet are booming. “Hacktivist” attacks against government computers and private companies are occurring almost daily. Government agencies and businesses everywhere are spending to improve their Cyber Security. For all businesses dependant on the internet it is a huge issue.
Insurance Brokers must advise their clients of these risks
We may continue to believe the threat is not that great within Australia but we only really need to look at the experiences of the USA and Europe. We were only a few years behind on the Directors and Officers risks and other Management Liability risks with our counterparts overseas.
For instance. in a study by USA telecom giant Verizon’s ninth annual survey of data breach investigations, it has found that 2012 was the year for cyber attacks. There were Government officials and lawmakers talking about it a lot. We saw reports of different countries found to be involved in a kind of Cyber War, some attacking, some defending, some doing a bit of both. It would be expected that most large companies and organisations would not be willing to disclose when they have been attacked and disclose that they suffered a breach that caused a financial loss, but they provided this information which makes it a great concern for all businesses.
Even though there was talk about cyberwar, none of this came close to the amount of financially motivated crime that took place in the USA from data breaches. Verizon found that the traditional monetary incentive accounted for 75 percent of computer security incidents. State-sponsored attacks accounted for 20 percent. The big targets are the organizations that move or hold a lot of money: 37 percent of the time Financial organisations were targets. Then retailers at 24 percent and manufacturing, transportation and utilities next at 20 percent.
This study’s sample reported more than 47,000 computer security incidents in 27 countries and territories. It included 621 confirmed data breaches. Their nine years of data gathering now has records include more than 2,500 data breaches and 1.2 billion records that have been.
Then it is the background of where these emanate from. Only 14 percent were attributed to insiders and 1 percent from business partners but the rest came from outside.
71 percent of breaches targeted user devices and 54 percent were aimed at servers.
Of big concern is that two thirds of the breaches reported required a month or more to discover.
A new trend identified more recently is the “bring your own device” approach, where employers let workers use their own personal smartphones or tablets or notebooks to access corporate networks – there seems to have been almost no BYOD-related security incidents. The Bring Your Own Device (BYOD) trend is a current topic of debate and planning in many organizations. Unfortunately, we don’t have much hard evidence to offer from our breach data. We saw only one breach involving personally-owned devices in 2011 and a couple more in 2012.
If UK businesses are anything to go by, their cost of security breaches has tripled over the past year and amounts to billions of dollars annually. The fact is that in Britain alone, the worst breaches cost small businesses an average of AUD$100,000 and large businesses – those with more than 250 employees – about AUD$1,200,000.
Cyber attacks against British businesses include breaches on valuable intellectual property and customer data and they continue to rapidly increase. Of concern in particular is that just in Britain alone, 87 per cent of small businesses and 93 per cent of large organisations are estimated to have experienced at least one kind of security breach in the past year, according to a report by the Department for Business, Innovation and Skills advised in April 2013. The data also show that the number of repeat breaches has risen by 50%.
The report showed cyber security was no longer just a problem for big business, when it had been assumed in the past that this was a big-company problem but it is increasingly becoming a problem for small companies.
Their government has identified cyber security as a threat to British business interests. Last month it announced a unit to protect companies from the growing threat of cyber attacks by China, Russia and Iran. The Government Communications Headquarters and MI5, will work with business representatives.
The British Government business department has an Innovation Vouchers scheme to which it is extending to help small businesses beef up cyber security. They are also publishing guides on how to make cyber security part of day-to-day risk management.
Compared to the Verizon report, the latest British data said security breaches could take many forms, but one in six small businesses were successfully hacked by outside attackers in the past year, double the previous year’s figure. Companies now spend an average of 10 per cent of their IT budget on security, up from 8 per cent last year, and almost half those surveyed expect to spend more next year.
Fourteen per cent of large organisations detected a breach involving social networking in the past year. Companies that do not monitor posts to social networks are three times less likely to have detected a breach.
Although the majority of cyber attacks were caused by outsiders such as criminals, hackers and competitors, the British report also highlighted the threat from within, saying 36 per cent of the worst security breaches were caused by inadvertent human behaviour. A further 10 per cent were caused by deliberate misuse of systems by staff. An interesting comparison with the Verizon results from the USA.
So where to from here? Business needs to think about these risks and how they should manage them.
Company Owners, Managers and their Boards must take responsibility
These issues should be a major priority for company managers and for company boards, particularly given the potential of the operational and reputational risk that cyber exposures represent. As for any other issue, directors need to be asking questions and demanding accountability. These questions include determining what steps they are taking to analyse and to protect their company against cyber exposures. One particular question directors should be asking their senior managers is what steps the company has taken to put risk management or insurance in place to protect against the problems that can arise should cyber incidents happen.
What can be done to manage the risk?
There are many ways a small business can reduce their exposure to cyber risks.
Engaging an IT Consultant who can monitor your systems on a constant basis is one way to assist in detecting breaches of systems, but even they cannot guarantee they are able prevent a newly developed virus or method of hacking that are constantly involving from attackers. Firewalls are vital for small businesses, especially if customer data and other sensitive information are linked to the Internet. An IT specialist’s role is to minimise the risks as much as possible and a good reputable consultant will do this.
Creating rules and procedures within a business and backing this up with training and review certainly reduces these risks. A business should recognise that employees are the first line of defence against cybercriminals, however they are also potentially a large security risk.
Passwords are a good starting point. You should have a system in place so they are changed regularly by yourself and staff. Do not use the same password for all your accounts. Implement good password policies with rules such as at least 8 character with at least one number and one capital letter with a timed period so they are changed frequently. A good standard is to change passwords every two months.
Other careless mistakes made by employees are some of the most common cause of data breaches. Many companies provide their staff with phones. We have heard about mobile phones being lost or left in Bars or Restaurants. It certainly helps to encrypt any mobile devices that carry sensitive data.
Staff needing to take work home on USB drives (because many businesses are reluctant to provide remote access) can be either unaccounted for as well as lost. Emails sent with confidential information to an incorrect address or responding to clicking on unidentified hyper links creates potential threats. Then there is the theft of hardware and even what happens when hardware is replaced and disposed of. Are you sure all confidential data is appropriately deleted?
Mistakes can happen but they should reduce if staff are made aware of the risks and their responsibilities. However, the culture of an organisation also plays a part in this. A happy and loyal workplace also assists in this.
Also educating your staff on basic security measures, such as how to recognise potential threats and why it’s important always to take precautions. A security plan without active participation by your employees is like an alarm system that’s never switched on.
Another way to limit Cyber fraud is to use a dedicated computer for all online financial transactions. Then as this machine is not used for email, web-surfing or social media, it’s much harder for outsiders to gain access to your sensitive information. Review banking transactions daily, so you can spot fraud in near real time and possibly recover the funds.
Small businesses can lose data as well as money in a cyber attack. But until now, most haven’t been able to afford an online data-backup solution. Thanks to cloud computing and other Internet technologies, backup services for data are now quite a cost-effective way of storing data off-site for small-business owners. Some of these services have become very cost effective, fast and dependable. Depending on how the terms agreement are framed with data storage companies, they do owe a duty of care and is a form of risk transfer. Therefore ensure that any third-party service providers who may be contracted and have access to sensitive data have policies and procedures in place and enforce them, and have IT Liability insurance to protect their risk.
Data kept on external hard drives is often now used but store them off-site securely and check the drives work and have actually kept the data, on a regular basis.
The Insurance solution
The other Risk Transfer approach is to insure the risks in some way and be compensated for any resultant financial loss. Traditional insurance alone is not sufficient to protect against these risks. Business should determine that they have a cyber risks insurance policy in place that provides protection against both what we call first party costs and third party costs.
Then there are what we call first party losses, which covers forensic IT services, notification costs, call centre costs, and credit monitoring services, where the interruption directly on the business causing a financial loss. An example is where a business’ has their web site shut down, or their server disrupted impeding their ability to perform their regular work.
Examples of third party losses, such asmight arise in a third-party liability lawsuit, area breach of confidentiality where client’s records are stolen and exposed to further exploitation.
The Cyber Risk Insurance policies are likely to be called a variety of names at the present time such as “Data Breach” Insurance, “Information Technology” Insurance, “Internet Liability” Insurance and “Information Security” Insurance. However they all should be there to cover legal costs, recovery of lost data costs and payment of regulatory fines (where indemnifiable by law).
While there are more than thirty insurers available in the USA and Europe, the market is much smaller in Australia. We have four or five Insurers offering specific Cyber Risks cover but so far only about two insurers are really interested in the Small to medium business segment such as AIG and Dual. Another two insurers have announced their entry in to the Australian towards the end of the year. At the present stage, the premiums are not at a level that is making it easy for Brokers to sell. Other financial risks to business as offered in Management Liability have also been hard to convince clients to buy. Hopefully more entrants will create competition and will bring down the price.
On the Corporate side, there are more companies interested in the larger companies including AIG and Zurich along with Chubb who are creating the most interest. There are also some Underwriting Agents utilising markets such as CFC, Hiscox and Lloyds but are not that interested at this stage in small to medium businesses, which make up 90% of Business in Australia. This is expected to change as Insurers understand these risks more, are able to effectively measure them and see an opportunity to provide a competitive profitable product.
What can Governments do?
All that is left is for Governments to legislate accordingly to help protect business but while treating such crimes with tougher penalties and creating specific legislation around the use and storage of data, what else can they really do? They face the same risks!
In the meantime, every Insurance Broker should skill themselves with the knowledge of Cyber Risks and advise their clients accordingly. If they are interested, we do have markets to go to, but hopefully the number of insurance offerings will continue to grow and develop and competition will help develop the products further with affordable pricing for all business. Then as a Broker, we need to continue to keep up to date with how these risks develop and how they can be handled.
Effective and skilled Insurance Brokers will meet these types of new challenges we all face.
By Robert Cooper,
Director, Cooper Professional Risks Pty Ltd t/as CPR Insurance Services.
An authorised representative of National Adviser Services Pty Ltd (ABN: 60 096 916 184) trading as NAS Insurance Brokers (AFS No.233750)