The unknown hackers rely on established Internet Service Provider (ISP) systems to manipulate data paths. In one case study from August, information sent from an office in Denver to another location in the same city was handed off to a provider in London, where it was diverted to Iceland, sent to Montreal, then to Chicago, New York and several U.S. cities before landing in Denver—milliseconds later.

“People used to transmit private, dedicated communication for important traffic via an intra-office line, but now enterprises are using the Internet,” says Cowie. “They assume that data passing from one city branch to another goes through a direct line, but on the Internet, the path it takes depends on hidden variables providers don't see.”

An MITM scheme's geography may be intricate, but its execution is literally grabbing chunks of random, unencrypted data (“Whatever is being transmitted” from a location at that time, according to Cowie) and snooping through it to find something interesting for hackers to use.

Whether employee or customer data, medical information, Social Security numbers—“just the fact that it may have been looked at” is enough to create legal problems for an entity, says Tim Francis, vice president of portfolio management at Travelers Bond & Financial Products.

Nearly all states now require companies to notify potential victims of a data breach, which will often involve customers across several states and incur notification costs and credit monitoring, which can be covered by a cyber policy. However, says Francis, the greatest cost of data breach is uninsurable, which is “never having customers do business with you again”.

The way companies respond to and learn from a breach determines its fallout as much as prevention, which is a great creative challenge to businesses around the world in the absence of wider regulation.

The U.S. Department of State's International Traffic in Arms Regulations (ITAR) requires all manufacturers, vendors and exporters of defense-related technical data and services to register with the Directorate of Defense Trade Controls (DDTC). But when a financial company's data is leaked, it is our defenses that come down.

“No organizations can be completely self-sufficient in cyber security in 2014,” says Jacob Rosengarten, executive vice president and chief enterprise risk officer of XL Group. “It will take a partnership with specialized companies, whether hiring companies to attack you to see where your weaknesses are, to creating industry associations [surrounding cyber risk].”

For now, the Internet is a poorly-understood system where traffic travels murky and undetermined paths.

“We can't all afford to become experts in the Internet, but if we all pay a little more attention we will all benefit, just like we all benefit from better prices and choices when a market is more transparent,” says Cowie.