With society's reliance on technology growing, businesses are being encouraged to adopt safety measures to protect themselves and their customers against cyber crime. Sam Barrett reports on the latest scams and information security requirements
Whether 'slicing and dicing' a customer database or buying the weekly groceries online, technology has made the lives of many people much easier. Unfortunately, it has also made life a lot easier for criminals.
"The issue is huge," says Emily Freeman, executive director of technology risks at Lockton International. "People used to steal things, hold-up armoured cars or banks but when the internet was born it became possible to steal data and use this to make money."
The extent of the problem can be seen in the Department of Trade and Industry's Information Security Breaches Survey 2006. This found that, although the percentage of UK companies that had suffered a security incident in 2005 fell to 62% - down from 74% in 2004 - the average cost of a company's worst incident had increased from £10,000 to £12,000.
The survey also found that the types of incidents being suffered were evolving. For example, viruses such as the 'I love you' virus, which caused hundreds of millions of pounds of damage in 2000, are less of an issue today as a result of the business community's investment in anti-virus software.
The same is true for hacking. "Hackers still exist, and intrusions typically increase tenfold during school holidays, but most firms have some form of intrusion detection software to limit the risk," says Gareth Tunggatt, senior underwriter at Ace Europe.
However, while bored school children intent on making mischief by hacking into a system can be a nuisance, firms are under threat from a different form of risk. "With so many more businesses dependent on their online presence, criminals are blackmailing them with threats to bring down their sites," reports Andrew Falkingbridge, security consultant at British Telecommunications.
'Denial of service' attacks involve so-called botnets, which are networks of potentially thousands of PCs that have been infected by virus-type programmes. They are often hidden from users but can be controlled by a central operator, who will use them to bombard a site with so much traffic that it is brought down.
In terms of who is being targeted, Mr Falkingbridge says that criminals will use this form of threat on any business with an online presence. However, those that offer transactional services are particularly at risk. "Financial services companies are a common target, as are online gambling and gaming sites," he says. "For example, a criminal might threaten to take down a gambling site over the World Cup or on Grand National day, which could lose them a lot of money."
Insider theft threat
Information security dangers do not always come from a faceless cyber criminal either. "About 60% of the work we do is helping clients identify what data has been taken," says Ed Wilding, chief technical officer at Data Genetics International, adding that it is often employees who have stolen the data.
Whether an employee is disgruntled or secretly working for the competition, stealing data is fairly simple. Memory sticks can now hold 1Gb of data or more, and this information can be copied easily without anyone knowing.
The other problem is that, legally, this is not theft. "Under the Theft Act 1968, they haven't committed an offence of theft as the employer retains the data," says Mr Wilding. "However, if there is strong evidence the data will be misused they can get a search order to identify the stolen data and bring a case against them."
To combat all these types of threats, as well as the new ones that will certainly emerge, risk management is evidently key. "We'll ask salient questions about risk management when a company approaches us for insurance," says Paul Skinner, senior information, communication and technology underwriting specialist for the UK and Ireland at Chubb Insurance. "The bigger the risk, the more likely they will be to have a network review."
Shaun Cooper, network risk consultant at Aon, agrees: "Companies have to apply the same principles to the risk of cyber crime that they apply to the risk of fire. Most businesses would be affected if someone took away their phones, their PCs or their data," he explains.
The first line of defence is to invest in security measures. Most firms now have firewalls and virus detection software to keep attacks out of their networks but, according to the DTI report, few firms have adopted adequate security measures when it comes to their internal processes. For example, it found that three-fifths of businesses did not block employee access to inappropriate websites, and only a sixth scan e-mail content.
"Businesses need to improve their detection software," says Graham Hardman, underwriter at Media/Professional Insurance. "They've invested in sophisticated IT systems but need to put reporting procedures in place to control any problems."
There also needs to be a cultural change, with many commentators suggesting a return to the old dummy terminal style of computer. "Employers have become very relaxed about the amount of data that can be accessed. They need to have a robust security policy in place that is communicated to all employees and reinforced with disciplinary action if it is broken," says John O'Neill, business systems and support director at Cunningham Lindsey.
All manner of practical steps can be taken to minimise risk. Access can be restricted - which may be especially important when dealing with contractors - ports can be locked on PCs to stop data transfer to memory sticks and procedures can be put in place to ensure former employees cannot access the network. "Consider mobile devices, such as laptops and PDAs," adds Rupert Alabaster, director in the professional risk team at Miller Insurance. "A lot of data is moved around on these and it can be difficult to know what has been taken."
Even with the best security and procedures in place, things do go wrong, so business continuity plans are essential. "You can have the best security and internal functions but you still need to know what to do if there is a breach," says Mr Skinner. "Put together a PR strategy as well, as this can make a huge difference if there is an incident."
The final layer of protection should be insurance. "We would run through risk scenarios with a company to see where there are gaps in their current insurance and risk management programmes," explains Lisa Hansford-Smith, senior vice-president of Finpro at Marsh.
As well as beefing up other areas, cyber liability insurance can cover a number of losses. Although policies vary, most cover first party losses, so if the system is damaged or data is lost, it will cover the cost of repairing or retrieving this.
Third-party cover is also included, to pick up claims brought against a company as a result of a security breach. Some policies also have some cover for reputational loss. "Policies often include a small amount to hire a PR firm," says Bob Wice, underwriter at Beazley. "This is seldom invoked but firms like the security it offers."
However, few companies buy such specific cover. "Most companies aren't insured," explains Mr Cooper. "Of the companies in the FTSE 250, I'd be surprised if 10 had cover." But this scenario could soon change. "It is becoming a must-buy product," comments Mr Wice. He says this has become a hot topic during the past 12 months, especially among larger companies, and there is a broad enough range of cover available as well as sufficient capacity to cater for this growing demand. "When there is a well-publicised security breach, it generates more interest and awareness," he adds.
As well as a greater awareness of these insurance products, further pressures are also on the horizon that will make cover much more of a necessity. For starters, firms may no longer be able to hide any IT failings. "In many US states, companies have notification requirements if customers' confidential details are compromised," says Matthew Norris, manager of Hiscox Technology. "This is likely to become a federal law."
Closer to home, Mr Norris points to the European Union's directive on privacy and electronic communications: "At the moment, it feels like we're a long way behind the rest of the world on this. I wouldn't be surprised if we had this directive in place by the end of the summer."
As well as these moves in Europe, there are other indicators that the UK will follow the US' lead on notification. Following the Financial Services Authority fine for Nationwide's failure to have effective controls in place (see box), Mr Tunggatt expects it to become compulsory for companies to disclose incidents where customer data security is compromised.
He also expects to see credit card companies start to seek redress for security breaches. "It costs between £5 and £15 to reissue cards when the details are stolen, and I wouldn't be surprised if we started to see credit card companies passing these costs on to the company that was holding the data," he says. Such a cost, he adds, could be covered under insurance.
Even without these tougher penalties, there are reputational advantages to taking a more proactive stance on IT security. "If a company gets its security right, it's a business benefit," adds Mr Skinner. "They can promote this to customers and investors."
With an increasing amount of high-profile incidents reported, the benefits of getting security tight and right are plain.
Technology has changed the risks that businesses face, with criminals able to target them without even having to leave their home. These recent cases illustrate some of the risks that can affect businesses.
Hitting the headlines last month was a security breach at TK Maxx's parent company TJX in the US, which resulted in the theft of credit card information for at least 45.7 million of its customers around the world, including some from the UK. Upon investigation, data was found to have first been hacked in July 2005, with card details dating back to December 2002 among those stolen. Due to the way the information had been hacked, it was also impossible to say what had actually been taken. "It potentially faces lawsuits from its customers, its investors and the banks, as well as regulatory enforcement," says Emily Freeman, executive director of technology risks at Lockton International. "This incident could also result in a loss of confidence from its customers."
The Nationwide Building Society found its data security compromised when a thief stole a laptop computer from an employee's home in August 2006. The laptop contained customer information that was going to be used for marketing purposes. Although the laptop was security protected and the data it contained could not be used to commit identity fraud, the Financial Services Authority fined Nationwide £980,000 for failing to have effective systems and controls in place. In particular, it was alarmed that the building society was not aware that the laptop contained confidential information, and did not start an investigation until three weeks after the theft.
Although not a direct victim of a cyber crime, Zurich Insurance found itself involved in an investigation when its identity was used fraudulently. "A member of the public notified us last August when he was considering a job for a company called Double Easy Brokers, which claimed to be an authorised representative of Zurich Insurance," says Stephen Broderick, investigations manager at Zurich Insurance.
Double Easy Brokers, trading as Easybrokers, was offering a one-size-fits-all motor insurance policy, which it claimed was underwritten by Zurich. "We advised the police and the FSA, who issued consumer warnings and alerts that were picked up by the national press," says Mr Broderick. "We also tried to trace all the people who had bought insurance from Double Easy, and were able to track down some of these through PayPal and internet service providers."
- Roundtable: Is a single customer view taking off in insurance?
- Analysis: The mystery of the missing Insurance Fraud Taskforce report
- O’Connor replaces Fairchild at the helm of Broker Network
- Green light for UK-US insurance trade deal
- Travel insurtech Pluto begins beta test
- Home insurance insurtech Buzzvault launches
- Majority of customers support a ban on dual pricing