In a small, one-bedroom flat in the working class city ofKharkiv, in the former Soviet Union, Dmytro Kozel was surfing theInternet for universities and colleges in the U.S. As a youngstudent in the Ukraine, Kozel had more than a passing interest inadvanced education. But he wasn't interested in enrolling in onlineclasses; tonight, he wanted to break into the network of a largeU.S. state university.

The university was using a Linux Unix machine and Kozel enteredthe server by establishing a "null session." Null is a Microsoftutility that allows services to communicate with one anotherwithout user passwords or identification. By logging on as null, hewas able to capture everything he wanted to exploit: passwordfiles, user accounts and network services. None of his actions werelogged or tracked by the server.

He began copying user names and found the name "backup." Hetried a guessed password, "123456" (studies have shown that eventhe most diligent IT professionals use a simple "backdoor" passwordat some point). Once he had obtained entry, he grabbed the encodedpasswords and submitted them to an open-sourced password-crackingtool freely available on ?the Web.

It took 15 minutes to decipher 70 percent of the passwords, logon as a super user and gain root access. He closed out the sessionby hiding his tracks behind a readme.txt file to use later. Hespent the rest of the evening searching for other vulnerable sitesto access in the future.

Kozel waited 2 weeks to re-enter the university network. When hereturned, he found no advanced firewalls or code changes. Hisprevious visit had gone undetected. He searched the website for thefinancial aid and billing office and then gathered the usernamesand passwords from the administrative server.

He smiled when he began downloading the names, addresses,financial information and social security numbers of more than47,000 students, anticipating a big payday ahead. The stateuniversity's IT department and CIO would not be aware of hisactions until months later, when parents called the college toreport strange activity on their credit cards.

According to Advisen, a benchmark and data research firm forcyber liability insurance, the last 6 months of cases like thishave caused chief information officers at public, private andgovernment entities around the country to lose sleep and foruninsured businesses that experience data breaches, millions ofdollars.

Some recent examples:

• 3.3 million unencrypted bank account numbers and 3.8 million taxreturns were stolen in a phishing attack against the South CarolinaDept. of Revenue

• The California Dept. of Social Services lost the personallyidentifiable information (PII) of more than 700,000 residents,including names and Social Security numbers, when a packagecontaining microfiche, sent by the U.S. Postal Service, arriveddamaged with most of the data missing

• The health information and PII of more than 780,000 Utahcitizens were put at risk when Eastern European hackers broke intoa server maintained by the Utah Department of Technology Servicesthis spring.

Related: Read "4Tips to Sell Cyber to Small and Midsized Businesses"

A Global Perspective

But it's not just the U.S. governments, large corporations andpublic institutions that are susceptible to data breaches.

Dmytro Kozel will spend 16 to 20 hours a day searching, siftingand analyzing sites to hack in the U.S. and Europe. According togovtech.com, European government data breaches have increased bymore than 1500 percent, with the next largest increases coming frompublic businesses (1380 percent) and the private sector (1159percent). Data breaches overall, in all segments of Europeancommerce and industry, have increased 1015 percent in the last 5years.

The prospects for 2014 are equally daunting, according toFishnet Security: "The majority of business owners, managers andCIOs (97 percent) stated that they believe the number of databreaches will increase."

Where are they ­coming from?

Security giant Symantec states that 37 percent of internationalbreaches are caused by "malicious attacks from hackers andhacking groups." Statistics provided by Deutsche Telecom showthat in one month (June 2013), there were 30,144,538 global "cyberattacks."

Although malicious attacks account for a large portion of cyberbreaches, 35 percent of overall incidents arise from negligence orhuman error (lost laptops and system devices, inadvertent datadumps, unencrypted servers, employees susceptible to phishing andmalware), and 29 percent are from IT system glitches/failures.

Hacker groups have been around since the early 1980s. The mostnotorious and active groups are scattered around the world inplaces like China, Germany, the Russian Federation, Taiwan andHungary.

Most successful hacking groups coalesce not because of theirgeographic locations, but because of the unique abilities of eachteam member. TeaMp0isoN, formed in2010 in the United Kingdom, was responsible for hacking Facebook,NATO and the English Defense League. Network Crack Program Hacker (NCPH) was formedin China and is known for its frequent attacks on the U.S. Dept. ofDefense.

Dmytro Kozel's group, LulzSec,caused some of the most publicized breaches, including Fox.com, theCIA and the FBI. Anonymous, which Time magazine in 2012 called one of"the 100 most influential people in the world," is associated withinternational hacktivism and targets governments, corporations andassociations that they accuse of censorship. Anonymous took creditfor the largest data breach ever, on Sony Play Station in April2011. Members commonly use the tagline, "We are Anonymous. We areLegion. We do not forgive. We do not forget. Expect us."

Like any good business team, hacker groups need specialists tobuild a strong cyber crime network. Dmytro Kozel worksindependently in the Ukraine, but his expertise in exploiting ITvulnerabilities makes him an important team member to one of thelargest cyber crime groups in the world. In addition to hackingspecialists, teams use graphic artists to create enticing emails,websites and other social engineering schemes designed to getunsuspecting employees to click on malicious links. Once data hasbeen stolen, salespeople are needed to bring the product (personalinformation, health information, credit cards, etc.) to themarketplace. The current price for a credit card number is $10. Forstolen health information, the price for each record shoots up to$50 on the black market.

Related: Read "Hacked& Crashed: Cyber Issues Strike NY Times and Washington PostSites"

How much money is lost?

According to the May 2013 benchmark report by the PonemonInstitute, the average total cost of a data breach for a U.S.business was $5,403,644. The U.S. experienced the highest totalaverage cost followed by Germany at $4.8 million and then Australiaand France, at $4.1 and $3.8 million respectively.

These numbers take into account the fact that certain industrieshave higher costs per breach than others. Businesses that areregulated and governed by local, state or national governments likehealthcare, financial institutions, non-profits and education havehigher breach costs than other industries like retail,transportation and hospitality. According to Ponemon, the averagecost for each record breached for the healthcare industry is$233.

Overall, cyber attacks "may be draining as much as $140 billionand half a million jobs from the U.S. economy each year," accordingto James Lewis, director of technology and public policy programsfor the Center for Strategic and International Studies.

Selling the coverage

No business or entity, public or private, feels that it needs tospend more money on insurance, and most small businesses believethat firewalls and passwords will protect them. Agents need todiscuss cyber liability insurance needs with their customersthroughout the year, not just in a last-minute rush to provide aquote at the renewal date. Provide information on data breachesthat will resonate with your clients, such as proximity to theirgeographic location or breaches in their class of business. You canfind this information on sites like privacyrights.org. This approach generates moreinterest than national headlines involving internationalmulti-billion-dollar companies. Explain to your customers thatgeneral liability coverage specifically excludes electronic dataand that the fines, penalties, attorney fees, notification costsand public relations costs to restore a business's good name cancost a non-insured business millions of dollars in out-of-pocketexpenses.

Eventually, cyber security, cyber privacy and identity theftwill be seen as a crisis that needs to be addressed with anadditional level of focus. Utilizing plastic credit cards,telephones and unencrypted emails is simply too 20^thcentury. Make sure you can explain the need and the coverage andoffer a cyber liability quote for every client at renewal.

Related: Read "CyberSecurity and Privacy: Still Evolving"