Defending Your Firm Against Cyber-Attacks
Last year brought a wave of high-profile data breaches, including Google, Epsilon, Lockheed Martin and the International Monetary Fund. These attacks have demonstrated that hackers can wreak havoc on a business’s network—as well as on a company’s or institution’s reputation. Symantec’s Internet Security Threat Report cited a 93 percent increase in malware-based Web attacks between 2009 and 2010—further underscoring the growing threat.
Perhaps as a result of increased attention paid to data breaches in the mainstream media, consumers are also increasingly sensitive to these exposures. A survey released in May 2011 by the Chubb Group of Insurance Companies found that one-third (32 percent) of respondents believe companies are less likely to protect consumers from the theft of personal information than they were in 2010.
With these numbers in mind, it is vital for businesses and consumers to protect themselves in the ongoing data security battle. Unfortunately, many still have not made cyber-security a top priority. Without realizing it, these companies practically invite hackers to take their best shots. Below are a few cues that alert cyber-criminals to potential targets—otherwise known as the items on a hacker’s wish list.
1. An army of road warriors. Smartphones are easier to hack, so companies that equip employees with mobile devices are a prime target. According to Symantec’s survey, reported vulnerabilities in mobile operating systems are on the rise (from 115 in 2009 to 163 in 2010). This fact should alert businesses, since a growing number of employees today rely on a smartphone for work.
Across various professions, people are simply more connected—which yields advantages for convenience and customer service, but creates data vulnerabilities. Employers and employees need to be aware of best practices when they are using these types of devices, especially in public places. At a bare minimum, it is a smart strategy to have a remote-access mobility policy, strong password protection, and well-understood encryption guidelines for storing and transmitting confidential data.
2. Unencrypted data “at rest.” Sensitive data is often
encrypted for transfer, but not when it’s residing on servers—which can serve
as a gold mine for outsiders with malicious intentions. Proper encryption
serves as the last line of defense before confidential data can be accessed and
may save a business from the costs of having to notify its customers
of a data breach. Companies should create, implement and follow rigid security guidelines for storing customer information. They should also consider partnering with carriers that offer robust risk-management portals with sample best-practice policies and tools.
Another option with which companies can protect themselves is cyber-liability insurance and risk transfer. According to Betterley Risk Consultants, publisher of “The Betterley Report,” which focuses on insurance product evaluations, only one-third of companies currently purchase this type of insurance. In a time of increased cyber-vulnerability, this is a surprisingly low number. Purchasing this type of insurance helps protect companies from the financial backlash caused by an unexpected breach.
3. Aggregated data (employees or customers). If hackers see they can get names, Social Security numbers and other personally identifiable information in one place, they will. In some cases, it may not be possible for companies to separate vital customer information on different servers and/or sites, but it is important to continuously test a system’s vulnerability and be flexible in making IT changes as needed.
One way to do this is by conducting regular penetration tests to determine potential network weaknesses. Another is to use network intrusion software to detect points at which security has been compromised or attempts at a breach have occurred.
4. Inconsistent defenses. Is the IT security guy at one of your regional offices asleep at the wheel? Chances are, data thieves will figure it out and take advantage—and once they’re in, they’re in everywhere. In addition to performing due diligence when hiring IT professionals to ensure that your company has responsible, credible employees, companies should be vigilant and consistent in their data protection procedures. For instance, mandating and tracking security upgrades across all facilities or offices can help keep a company’s defenses steady and up-to-date.
Taking a proactive approach to IT security is critical to avoiding cyber-related incidents and addressing them quickly to minimize financial loss and reputational damage. While the target and magnitude of the next headline-making data breach cannot be predicted, one thing is certain: Cyber-criminals are becoming smarter and more resourceful. So companies need to develop and update incident-response plans (as part of more formal business-continuity plans) to address breaches quickly and comprehensively.
Ken Goldstein is a vice president at the Chubb Group of Insurance Companies.