Defending Your Firm Against Cyber-Attacks

Last year brought a wave of high-profile data breaches,including Google, Epsilon, Lockheed Martin and the International Monetary Fund.These attacks have demonstrated that hackers can wreak havoc on a business?snetwork?as well as on a company?s or institution?s reputation. Symantec?sInternet Security Threat Report cited a 93 percent increase in malware-basedWeb attacks between 2009 and 2010?further underscoring the growing threat.

Perhaps as a result of increased attention paid to databreaches in the mainstream media, consumers are also increasingly sensitive tothese exposures. A survey released in May 2011 by the Chubb Group of InsuranceCompanies found that one-third (32 percent) of respondents believe companiesare less likely to protect consumers from the theft of personal informationthan they were in 2010.

With these numbers in mind, it is vital for businesses andconsumers to protect themselves in the ongoing data security battle.Unfortunately, many still have not made cyber-security a top priority. Withoutrealizing it, these companies practically invite hackers to take their bestshots. Below are a few cues that alert cyber-criminals to potentialtargets?otherwise known as the items on a hacker?s wish list. 


1. An army of road warriors. Smartphones are easier to hack,so companies that equip employees with mobile devices are a prime target.According to Symantec?s survey, reported vulnerabilities in mobile operatingsystems are on the rise (from 115 in 2009 to 163 in 2010). This fact should alertbusinesses, since a growing number of employees today rely on a smartphone forwork.

Across various professions, people are simply moreconnected?which yields advantages for convenience and customer service, butcreates data vulnerabilities. Employers and employees need to be aware of bestpractices when they are using these types of devices, especially in publicplaces. At a bare minimum, it is a smart strategy to have a remote-accessmobility policy, strong password protection, and well-understood encryptionguidelines for storing and transmitting confidential data.


2. Unencrypted data ?at rest.? Sensitive data is oftenencrypted for transfer, but not when it?s residing on servers?which can serveas a gold mine for outsiders with malicious intentions. Proper encryptionserves as the last line of defense before confidential data can be accessed andmay save a business from the costs of having to notify its customers
of a data breach. Companies should create, implement and follow rigid securityguidelines for storing customer information. They should also consider partneringwith carriers that offer robust risk-management portals with samplebest-practice policies and tools.

Another option with which companies can protect themselvesis cyber-liability insurance and risk transfer. According to Betterley RiskConsultants, publisher of ?The Betterley Report,? which focuses on insuranceproduct evaluations, only one-third of companies currently purchase this typeof insurance. In a time of increased cyber-vulnerability, this is asurprisingly low number. Purchasing this type of insurance helps protectcompanies from the financial backlash caused by an unexpected breach.


3. Aggregated data (employees or customers). If hackers seethey can get names, Social Security numbers and other personally identifiableinformation in one place, they will. In some cases, it may not be possible forcompanies to separate vital customer information on different servers and/orsites, but it is important to continuously test a system?s vulnerability and beflexible in making IT changes as needed.

One way to do this is by conducting regular penetrationtests to determine potential network weaknesses. Another is to use networkintrusion software to detect points at which security has been compromised orattempts at a breach have occurred.


4. Inconsistent defenses. Is the IT security guy at one ofyour regional offices asleep at the wheel? Chances are, data thieves willfigure it out and take advantage?and once they?re in, they?re in everywhere. Inaddition to performing due diligence when hiring IT professionals to ensurethat your company has responsible, credible employees, companies should bevigilant and consistent in their data protection procedures. For instance,mandating and tracking security upgrades across all facilities or offices can helpkeep a company?s defenses steady and up-to-date.

Taking a proactive approach to IT security is critical toavoiding cyber-related incidents and addressing them quickly to minimizefinancial loss and reputational damage. While the target and magnitude of thenext headline-making data breach cannot be predicted, one thing is certain:Cyber-criminals are becoming smarter and more resourceful. So companies need todevelop and update incident-response plans (as part of more formalbusiness-continuity plans) to address breaches quickly and comprehensively.


Ken Goldstein is a vice president at the Chubb Group ofInsurance Companies.