Risk Management in Cyberspace

Going on the offensive against cyber crime

You could say that cyber theft is the crime that keeps on giving — for thieves. It’s also the crime that keeps on taking — from businesses and their clients.

For business owners, it’s not a matter of if they will get hit by cyber thieves, but when. Statistics say companies are woefully unprepared for a cyber attack so the next question is how devastating it will be.

Businesses spend 2 percent of revenue on “physical security,” a broad term for things such as fences, guards, alarm services, radio frequency identity tags and other measures. Despite this investment, losses to physical theft are $112 billion, according to Bloomberg and the Ponemon Institute.

These losses are dwarfed, however, by cybercrime. Businesses spend a staggeringly low figure of less than half of 1 percent of revenue on cybersecurity, yet losses to cyber thieves are pegged at $300 billion, almost three times as much as what’s lost to physical thefts.

The Dark Web

Cybercrime is just too profitable to pass up for the law breaking elements around the world. They operate within the realm of the “Dark Web,” an ominous but inviting collection of websites that conceal the IP addresses of the servers that run them.

Information and data obtained illegally from businesses in cyber thefts are traded in vast, lucrative online exchanges found in the Dark Web that mask the identities of buyers and sellers. It’s the place where crime pays, and pays well.

A Social Security number goes for $1. Medical records start at $50. Depending on the account type and the balance, bank account information goes for $1,000 or more. Even spammers are making deals, with 50,000 email addresses fetching $50.

Developing commercial malware is worth $2,500 and malware for mobile technology is $150. Credit card data earns 25 cents to $60 and a Facebook account with 15 friends is worth $1.

A distributed denial of service, in which an attempt is made to render an online service unavailable by overwhelming it with traffic from multiple sources, costs $7 per hour. Banks or news websites are often targeted as a means of preventing people from publishing and accessing important information.

Prime Targets For Cybercrime

Small businesses with less than 100 employees are targeted in 71 percent of cyber attacks. They are often victims of the proliferation of cheap or free hacking tools that are easy to obtain and extremely effective. Advanced attacks often go undetected for 229 days before being discovered.

The results are often devastating: Within six months, 60 percent of small businesses that experience a data breach are out of business. Compounding matters, incident response becomes very expensive.

Technology Advances

The vulnerability of businesses can be traced to security being an afterthought. For example, those magnetic strips on the backs of credit and debit cards are based on technology from the 1950s.

The other fact, of course, is the profitability of data breaches. They account for about 3 percent of gross domestic product.

U.S. credit card fraud in 2013 equaled $7.1 billion, with the take in 2014 estimated around $10 billion. Banks and financial institutions absorbed 60 percent of the cost.

As more and more high-profile data breaches happened, consumers started demanding improved security for credit and debit card transactions. Yet improving the security to prevent cybercrime involves an enormous investment.

The U.S. lags behind much of the industrialized world in moving to more secure credit and debit card transactions using the global standard of EMV — Europay, MasterCard and Visa — technology. Microprocessors are embedded in EMV chip cards to provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.

Upgrading point of sale technology for 15 million devices is estimated to cost $6.75 billion. Terminals start at about $300 and range up to $1,200; there’s currently a shortage of them as merchants are scrambling to prepare for the implementation of EMV in America by October.

Upgrades for 360,000 ATMs is estimated to cost $500 million. The changeover for more than 600 million credit cards and 520 million debit cards that would be equipped with the computer chips that protect consumers and reduce fraud costs would cost $1.4 billion.

Shifting Liability

This improved security and infrastructure upgrades would also shift the liability from the issuer to the merchants. Business owners and company executives are realizing the reality of the risk and insuring their companies against the threat of cyber crimes, which is no different than purchasing property insurance.

Yet many business owners and merchants don’t know what to look for in buying premiums for cyber insurance. A company may try and exclude malware, for example. Another may try to exclude patents and trade secrets, a prime target for cyber thieves.

If you don’t know what to look for, Sera-Brynn can help. Insurance companies are asking experts like us to help craft policy language and we can help business owners determine specific coverage and ensure the policy meets company’s needs. Writing your own policy is often the best way to ensure coverage.

But remember, cyber insurance won’t be your savior. It takes aggressive prevention and security measures to protect your company from cyber thieves.

Even then, it’s important to develop a plan of response for a crisis management event that occurs when a breach is suspected. Most company executives haven’t developed a plan for responding to a crisis situation. Who do you call? Do you know if you are compliant to industry standards? What critical information do you have?

Steps of response to consider when a data breach occurs include the involvement of a legal team and a cyber forensics firm, notifications to vendors, customers and others and even public relations. Success is measured in hours, not weeks.

These are steps we can help with as well. We’re also available to present information to business groups and consumers on cybersecurity, what’s happening in the industry and what’s important for companies to know.

For information, contact Sera-Brynn by phone at 757-243-1257, or by email at info@sera-brynn.com.