What Can Insurers Learn from Home Depot? by Pat Speer
The fallout from Home Depot's now confirmed data breach of its payment systems runs wide and deep. After a week-long open speculation by the media, the nation’s largest home improvement company confirmed that it’s investigating a data breach of payment transactions as of April 2014 (the last five months). Citing that the full scope, scale and impact of the breach have yet to be determined, various predictions hold that it will represent the cyber theft in history – up to tens of millions of individual data records.
Home Depot can get in line with Target (until now considered the largest breach, in December 2013, lost 40 million debit and credit card numbers affecting 70 million consumers to cyber-attackers), Neiman Marcus, Supervalu Grocery, P.F. Chang's famous restaurant chain and even the thrift store operations of Goodwill, all victims of cyber-attack.
Cybersecurity fears are growing at such a pace that last week NATO leaders agreed that a large-scale cyber-attack on any member country could possibly be considered an attack on the entire U.S.-led alliance, potentially triggering a military response. That’s a pretty hefty response, but at least NATO is paying attention.
Meanwhile, as INN reported last week, cyber-liability demand may ultimately outstrip supply. https://www.insurancenetworking.com/news/risk_management/cyber-liability-insurance-demand-expected-to-outstrip-supply-34837-1.html
It’s easy to armchair-quarterback this growing problem, and although there’s as much blame to go around as there are varieties of cyber-attacks, the bottom line is that insurers have a responsibility beyond just protecting their own data stores; they need to help their customers find ways to avoid cyber-attacks of any kind.
“You have to have the right security technology, but it’s not about the technology,” wrote Chris McMahon in a recent post. “The real threat is people, and not just criminals. The real threats are users, those who use weak passwords, give away credentials, click on bad links or otherwise exercise questionable judgment.” https://www.insurancenetworking.com/blogs/fear-this-34743-1.html
Indeed. According to a report issued last year by security technology giant Kaspersky, IT unknowingly enables cybercrime by giving cybercriminals access to systems and data through a series of misconceptions and false assumptions. In basic language, (www.kaspersky.com) Kaspersky offers 10 ways that IT departments are enabling cybercriminals today, and offers real ways, based on third-party research and analysis from Kaspersky Lab experts, to stop them.
Although most of the points below won’t apply directly to the circumstances involved in the breaches talked about in this blog, they do offer some basic, common-sense advice that insurers may be able to incorporate into their customers’ cyber-liability requirements:
Ten Ways the IT Department Enables Cybercrime
Enabler #1 : Assuming the data is in the data center
Concentrate on where the data really resides—at the endpoint.
Enabler #2: Failing to recognize the value of data on mobile devices
Use of managed anti-malware, anti-theft and privacy technologies for mobile device is a good start to address protecting mobile data.
Enabler #3: Treating laptops and mobile devices as company assets that are never used for personal use, believing that company data never finds its way to home systems
Security policies should be created for each device.
Enabler #4: Ironically, the Kaspersky White Paper did not list a Number 4.
Enabler #5: Adopting Social Media without protection
Employ technology that closely watches the traffic that traverses social media websites and blocks known malicious sites.
Enabler #6: Focusing on Protection vs. Detection and Response
Because cybercriminals today target the endpoint, robust detection and response technology needs to be deployed at the endpoint to protect it from malware designed by cybercriminals to steal data, credentials and revenues.
Enabler #7: Failing to foster a culture of awareness
It is of supreme importance that the IT staff is well educated on current threat technologies and vectors so that they can make knowledgeable decisions on protection and prevention technologies.
Enabler #8: Under-reporting security breaches
Federal law requires reporting of security breaches, but not all companies comply. Kaspersky stresses the importance of communication is paramount.
Enabler #9: Settling for compliance
According to Kaspersky, compliance may provide an illusion of security to those who do not understand the complexities of securing the digital business world. Compliance alone should not be the end goal.
Enabler #10: Assuming everything is OK
Take a hard look at the probability of a security event in your business, advises Kaspersky.