Hackers aren’t “geniuses:” The real reasons behind most cyber attacks by Caitlin Bronson

17/04/2015 19:29

Recent data breaches like those involving Target, Sony and Anthem have received attention for the size, scale and sophistication behind the attacks. Hackers were portrayed as well-moneyed operatives with a great degree of skill and stealth – yet in the majority of cases, hackers succeed due to simple errors on the part of company owners and employees.

According to two new reports from Verizon Communications and Symantec Corp., an overwhelming majority of cyber attacks occur because employees open or click on links in tainted emails, employers fail to address software flaws or technicians don’t properly configure their systems.

In fact, the Verizon Communications report found that more than two-thirds of the 290 hacking cases in 2014 involved phishing, or trick emails. By getting employees to click on bad links or attachments, hackers are able to steal employee credentials and access company networks, files, programs and customer information.
Phishing is so effective, hackers succeed in accessing corporate databases 90% of the time – even when sending tainted emails to just 10 employees.

“There’s an overarching pattern,” Verizon scientist Bob Rudis told Reuters.

The Symantec Corp. report, meanwhile, found that despite the success rate of phishing operations, they often fly under the radar from online defenders due to their lack of sophistication. Once inside the system, however, the schemes increase in efficiency and are able to write customized software to further avoid detection.

The report also suggested that hackers are increasingly using “ransomware,” a form of software that encrypts computer files and promises to return them unless the user pays a ransom. Even then, only 20% of hackers actually decrypt the files.

Meanwhile, costs associated with data breaches are climbing. According to the Verizon report, which was released today, the loss of 100,000 records costs a company $475,000 on average while the loss of 100 million records costs $8.85 million.

In the midst of these changing trends and increasing costs, interest in cyber insurance is increasing – though not sufficiently. That’s where independent agents may be able to assist.

“The demand [for cyber] is increasing, but not at a rate we think is quick enough,” said John Tiene, who represents thousands of agents in the Northeastern US as CEO of Agency Network Exchange (ANE). “Our job is really to educate the business owner as to the variety of exposures they are presented with and help them understand how the coverage can protect them.”

Carriers with superior products help in this effort by offering education to both agents and business owners alongside their policies. Tiene says it is currently the larger carriers that offer these services, along with more sophisticated products that can be specialized for larger clients.

Most important is ensuring agents are sufficiently comfortable with the cyber product to discuss it with clients. Going forward, failure to discuss cyber protection could be a major E&O exposure for independents.

“This should now be a standard conversation with clients because every client has the exposure at some level. A breach may only cost a client $10,000 to $30,000, but for a small business client, that is a lot of money,” said Tiene. “They may turn to the agent and say, ‘Why didn’t you talk to me about this?’

“This is a coverage need of the 21st century."