Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Identity Theft Resource Center

An Insurers perspective of Cyber Crime

Beazley, an Insurance Company recently issued a press release on the threat to business from Cyber Crime. Their perspective supports those of the leading IT Security researchers.

Beazley quote some interesting research to support their release:

  • According to a survey by the Identity Theft Resource Center ® of 226 security breaches(1), 44 percent of the victims in the first half of this year (2011) were businesses with assets of under $35 million, which lost in aggregate 3.6 million customer records.
  • Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with no more than 100 employees.(2)

Beazley state that most small businesses currently go without insurance coverage due to a variety of misconceptions about the scale of the risk and the scope of their existing insurance protections.

Jamie Orye, an underwriter who manages the US Private Enterprise/Small Business Technology team for Beazley, said: “Cyber criminals view small businesses as easier targets than their larger, more technologically sophisticated counterparts. They have limited resources to protect themselves, and with more modest incomes, these small businesses have more to lose.”

Among the misconceptions frequently relayed to Beazley underwriters by small business owners or their brokers are:

  • The cost of responding to impacted clients is simply a postage stamp per breached record.
  • Our information is well-protected by our IT consultants.
  • Our employees would not act maliciously and know how to protect our data.
  • Security breaches are covered by our general liability policy.

Orye urges small business owners to talk to their brokers to ensure their coverage extends to cover notification costs, which general liability insurance typically does not. Notification costs can be heavy as they must meet the standards prescribed by a bewildering array of state and federal laws.

Firms should also have resources available to conduct proper forensic investigations to ensure they notify clients only when needed.

Orye gave a recent example of a professional services firm that had their server hacked. The firm spent $100,000 on notifying clients that their sensitive data – such as social security numbers – might have been exposed. However, the firm later discovered none of the exposed data fell into this sensitive category.

Firms should also realize they may not be off the hook for a breach just because their data storage and management needs are outsourced. They will need to find out if their IT service providers are covered for data privacy issues,” said Orye.

Beazley’s Reasearch Sources:

(1) The IDentity Theft Research Center can be found here. The quoted research was from 7/5/2011

(2) Verizon Research PDF can he found here.

Beazley’s website can be found here.

.

Advertisements

The State of Data Security a report by Sophos

Sophos has published its first report focused on data security, “The State of Data Security”.

The report is excellent read with 25 pages packed full of information and advice.

The report provides advice and guidance to businesses interested in protecting their data, including “Today’s IT and business managers must take a hard look at the risks and costs of potential data loss. Creating a proactive data security plan arms you with the knowledge you need to manage the risk and helps you to stay compliant with data protection rules and regulations.”

Some statistics and quotes from the report:-

  • The U.S. had the highest cost per compromised record at $204, followed by Germany at $177, France at $119, Australia at $114 and the U.K.at $98
  • CSO magazine’s 2011 CyberSecurity Watch Survey found that 81% of respondents’ organizations experienced a security event during the past 12 months, compared with 60% in 2010.Twenty-eight percent of respondents saw an increase in the number of security events as compared with the prior 12 months
  • In a survey of 1,000 people in the U.K., 94% ranked “protecting personal information” as their top concern, equal to their concerns about crime, according to The Telegraph.
  • according to security expert Rebecca Herold, you’ll cover roughly 85 to 90% of compliance regulations if you practice effective data protection
  • About 85% of all U.S. companies have experienced one or more data breaches, according to the Ponemon Institute
  • In 2010, malicious attacks were the root cause of 31% of the data breaches studied, according to the Ponemon Institute – up from 24% in 2009 and 12% in 2008
  • According to the Identity Theft Resource Center, at least 662 data breaches in the U.S. occurred in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit card or debit card data
  • With over 500 million U.S. records of data breaches and loss since 2005, it’s no surprise that these data loss stories are headline news.

The report can be downloaded here.

.

Identity Theft Resource Center found that hacking accounted for the largest number of breaches in 2011 year-to-date

The Identity Theft Resource Center® has found that hacking accounted for the largest number of breaches in 2011 year-to-date.

Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems. This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).

ITRC point out that their findings do not include the large Epsilon Email Breach as the full findings were are to be disclosed and the effects seen. The findings will not include the massive Sony Playstation Network breach as this was after the report.

Anecdotally the ITRC in their press release also refer to other pieces of research

  • Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010.
  • McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees.

ITRC views employee breaches as two different types of breaches.

1. Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company.

2. The insider who intentionally steals or allows others access to personal information is considered a malicious attacker.

“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager. “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.   As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft.  When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.

Businesses are taking the brunt of hacking attacks, according to published reports of breaches. 

  • 53.6% of all breaches on the ITRC report were business related. 
  • The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military and Medical/Healthcare all dropped in their respective percentage of reported breaches.

Other ITRC finding include:

  • Nearly half of breached entities did not publicly report the number of potentially exposed records
  • Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.

ITRC was unable to draw any long term conclusions from these initial findings.

For further details of the ITRC visit.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: