Today’s cybercrimes put your grandmother’s spam email list to shame. According to a 2011 study by Ponemon Institute, the median annual cost of cybercrime for a large company is $5.9 million per year. Ponemon and ArcSight studied the effect of cybercrime on 50 large organizations in various industry sectors in the United States for its “Second Annual Cost of Cyber Crime” study.
Cybercrime is criminal activity conducted via the internet and includes such things as malicious codes, hacks in which private client or company information is made public or stolen and disrupting normal operation. It can be perpetrated by rogue employees, ‘hacktivists’ attempting to make a political statement or a third party seeking financial gain.
These attacks have become common occurrences. (Slideshow: 5 Notorious Data Breaches) While everyone has heard of Wikileaks and the problems experienced by Google, Sony and many major banks, smaller companies are not immune from cyber attacks. Companies participating in Ponemon’s study experienced more than one attack per company per week, a 44 percent increase from the previous year’s study. Any company that stores Personally Identifiable Information (PII) or Personal Health Information (PHI) is vulnerable to attack.
Accounting for more than 90 percent of recovery costs, the most frequent forms of cyber attacks are those resulting from malicious code, denial of service, stolen or hijacked devices and deleterious insiders. Ponemon also found that if a problem is discovered quickly, it will be less costly and less time intensive to solve. It takes 18 days on average to resolve an attack, and insider breaches can take an average of 45 days to contain.
Recovery costs fluctuated based on industry, company size and the level of protection companies employed against potential threats. Smaller companies tend to see more cybercrime related to malware, loss or theft of paper records from offices and accidental sharing of or theft of PII and PHI. Small businesses (100 employees or less) make up 72 percent of data breaches worldwide.
Ponemon did not find significant differences in cost associated with use of cloud computing, but new and often unknown threats arise with the use of new technology. In a different Ponemon study titled “Security of Cloud Computing Users,” only 47 percent of respondents believed that cloud services were evaluated for security prior to use.
Getting down to the finer details, Ponemon addressed specific costs in its “U.S. Cost of a Data Breach” study. Breaches cost U.S. companies an average of $204 per compromised record in 2009. Tim Francis, enterprise cyber lead for Travelers, noted that this number can include costs of the following:
- Technical forensics to determine the scope of the breach
- Legislative costs associated with defending lawsuits arising as a result of the breach
- Notification of victims
- Credit monitoring and crisis response often provided for victims
- Public relations to repair the company’s damaged reputation
- Lost revenue related to clients wishing to move business elsewhere
- Fines and penalties imposed in cases where information stolen or made public violates a regulatory law (such as HIPPA).
Wi-Fi and mobile devices such as laptops, tablets and smartphones pose a new set of risks. Although this technology is crucial to business practices today and allows employees to work remotely, it also means the information is no longer protected by four walls of a secure office building or a secure and monitored internet connection.
Francis cautioned that while having up-to-date technology protection is important, employers and business owners would do well to remember the “human element.” Are employees in public spaces that leave device screens vulnerable to people looking over their shoulders? Are they using unsecure or externally hosted Wi-Fi networks where security levels are unknown? Are their passwords secure? What are they storing on mobile devices? Does a company have full control over how an employee may use a personal device for business purposes, and what happens when that employee is terminated? These questions and more have uncertain answers and might involve the HR dept. working in partnership with IT.
Businesses that use Wi-Fi and also allow customers on their premises to use it as well, such as coffee shops, have a unique set of risks. Francis related a story in which the producers of a Hollywood movie brought a claim against the owner of a restaurant offering Wi-Fi to its customers. A customer had used the Wi-Fi to download a copyrighted bootleg of the movie and investigators were able to trace it to the business. This risk and more could be overlooked for many business owners installing Wi-Fi for customer use. How are business owners to determine what counts as protecting themselves and what might be an invasion of customer privacy? These questions are still new and could have varied answers.
Many companies are not prepared for cybercrime perpetrated by “hacktivist” groups such as Anonymous, which gained notoriety for disrupting several national banking websites. One problem Francis cited with large-scale blackmail threats is determining whether or not it is from a credible source. It’s easier to know what damage a previous employee of the IT department might be capable of than a third party group.
“Generally speaking, potential exposures are new and undefined, but that doesn’t mean that there isn’t a large amount of exposure,” Francis said. He had the following advice for businesses looking to improve tech security:
- Consult with an attorney about your business’s specific exposures. If you’re not making your wireless internet available to those outside of your company, your risk of dealing with a lawsuit similar to the restaurant owner’s is minimal.
- Don’t overlook the human element when it comes to secure technology. Offer comprehensive training and concrete guidelines for employees.
- Work with agents, brokers and carriers to determine what appropriate coverage is needed and that the risk/reward is understood.
- Know that there isn’t a one-size-fits-all solution to this problem, and that the problem itself is in a state of constant flux. Re-evaluate guidelines and coverage often and don’t adopt new technology without first considering the risks involved.
Wi-Fi, the internet and portable devices aren’t going away, and risks get bigger the more we rely on technology to get through a business day. Ignoring those risks and not insuring them like we do our cars, homes and lives doesn’t make sense. Travelers offers a suite of cyber risk management liability products and coverage solutions that can fit the needs of each customer. “Cyber products are being purchased more frequently, but we’re still not seeing as many companies buying this coverage as we ought to see,” Francis said.
- CyberFirst Essentials—small businesses can get coverage for a variety of cyber security breach claims and lawsuits with this option, including expenses such as notification, credit card monitoring, public relations and more. “This is a good option for small companies with a smaller amount of cyber exposure who need basic coverage at lower limits and lower cost points,” Francis said.
- CyberFirst—this coverage is specifically for tech companies and includes Tech E&O liability, network and information security liability, communications and media liability and expense reimbursement.
- CyberRisk—this coverage option is broader in order to match the needs of various industries and company sizes with ten separate coverages including network and information security liability, e-commerce extortion, computer fraud, security breach remediation and notification expenses, and regulatory defense expenses.