What is cyber and why does it matter to insurers? In many ways, cyber is anything computer-based; any object with computer programming and coding that performs a series of actions based on commands can be considered cyber. Spreadsheets calculate mathematical equations; word processing documents obey formatting commands and check spelling and grammar. Cellphones work as telephones but also as calculators, cameras, timers, video games, can access the internet and perform a variety of other functions.
Today’s society is functionally connected to computers, and with advanced integration of computerized components into virtually every watch, appliance and automobile, this connectivity increases every day. Increased connectivity subjects society to cyber vulnerability in even the most mundane daily activities, from opening a refrigerator door to brushing teeth with an electric toothbrush.
An overview of cyber requires at least a general knowledge of the most common terms associated with the various types of cyberattacks. Several of the most commonly used terms are defined here, but as cyber vulnerabilities increase, so also do the terms that define them. Additional terms can be found in online cyber dictionaries.
Common cyber terms
Cyber: Relating to or involving computers or computer networks, information technology and virtual reality.
Cyber Risk: The possibility that data, a collection of facts or information, will end up in the hands of someone not authorized to access that data and who can use the data in a manner that is harmful to the entity storing the data or to the subject of the data.
Cybersecurity: Activity or processes employed to safeguard and protect assets used to carry and store information and defend it against damage, unauthorized use or modification, or exploitation.
Hacking/hacker: Hacking is the unauthorized access of a computer system or network with the intent to gather information, disrupt operations or otherwise alter existing programs. A hacker is a person accessing the computer system or network, often an expert programmer or someone skilled in hacking. In order to hack into a system, the hacker looks for weaknesses in the security systems. White hat hacking is hacking into a system for legitimate purposes.
Identity theft: Identity theft occurs when an imposter uses the name or personal identification information of a person without their knowledge to set up or use bank accounts, credit accounts, government benefits, or take actions affecting the victim’s reputation, often leading to adverse outcomes for the victim.
Malware: Software designed to disrupt, intrude or otherwise damage a system’s software. Short for malicious software.
Personally Identifiable Information (PII): Information that can be used to identify a particular individual from other individuals. Social security numbers, dates of birth, medical information are all considered personally identifiable information.
Phishing: Attempts to extract sensitive information from individuals such as names, dates of birth, account numbers, etc., by posing as a trustworthy person or organization. Users may be directed to a fake but genuine looking website, and the request for data appears legitimate.
Ransomware: A form of computer malware that can be covertly installed on a victim’s computer, holding the user hostage from being able to operate unless they comply with the demands of the attacker — to regain access, the user typically has to pay a ‘ransom’ in exchange for unlocking the system. The ransom is often to be paid in some form of cyber currency.
Security breach: A security breach occurs when an organization’s data security systems have been accessed by an unauthorized user to access data, services, networks or devices. The data may then be corrupted, stolen, sold, held for ransom or transmitted for view.
Spyware: Software that is secretly installed into an information system without knowledge of the system owner or user.
Trojan/Trojan Horse: A program disguised to look authentic, making it difficult to distinguish it from the actual program. Once a user goes into the program, it executes malicious tasks such as destroying files, altering information, stealing passwords or other information. Unlike a virus, a Trojan cannot replicate and spread to other systems.
Virus: A malicious program that infects a computer by copying itself and corrupting or modifying existing files. It may then spread to other systems by way of the original victim’s data.
Worm: A self-replicating, self-spreading malicious program that can copy and spread itself without the help of any other program. Worms and viruses are similar but different in that a virus needs an external command from a user or hacker to run its program, while a worm hits the ground running all on its own.
Cyber basics
Hacking occurs when someone without authorization accesses a computer system to copy, modify or destroy data. The hacker is the person accessing the system, typically someone with significant knowledge of computer programs and systems, so that they can bypass existing security systems and access data even if it is behind a firewall. A firewall is a program designed to keep users from accessing suspicious sites that could install a virus on their computer system that also prevents hackers from accessing the system from the outside, ensuring that the system remains secure.
A hacker may access private information and sell it on the black market, may lock users out of their own accounts and hold the data for ransom, or input malicious code into the system and spread a virus through multiple systems. Any data stored in a computer is at risk of being hacked, and there is no practical way that an individual or business can function without being exposed to some sort of data vulnerability.
Typical data that is stolen includes account passwords, account numbers, birth dates, names, addresses and social security numbers. With a combination of different pieces of data, a hacker can use the stolen information to open credit cards, make purchases under the victim’s name, create a new identity using the victim’s information, or expose the individual’s personal medical or other private information.
An organization can be at risk not just from a customer data standpoint, but also when they are storing proprietary information that could provide competitors an advantage. Everything stored on a network, from strategic plans to product formulas and customer lists, can potentially be at risk. Practically every item is tracked by computer — from its development, marketing, manufacture, distribution and purchase by the end customer.
All along the product chain, there is the exposure of data; the greater the connectivity of each supply chain, the greater the exposure. These risks must be acknowledged and identified before preventative action can take place. Multiple layers of security can slow down an attempt at hacking and provide an opportunity to flag that something is amiss. Close monitoring is absolutely necessary. Identifying the weaknesses that make data vulnerable is the key to effective cybersecurity.
Unfortunately, cybersecurity is not as strong as it should be in the majority of companies. With multiple cyber threats to an organization, it is hard for some organizations to prioritize which to deal with first — profit or cybersecurity measures. Small business databases may be more susceptible to exposure only because they may not have the resources to protect the data. Lack of funding makes it difficult to employ the proper staff and install the proper software necessary to prevent or address any cyber breaches and, if an attack does occur, address the aftermath.
Another issue is not reporting a breach immediately, especially for companies interacting with the public. They fear the loss of reputation but may fail to realize that any delay in reporting a breach makes it that much harder to contain and recover, especially if funds have been stolen and not just data.
So how do companies deal with these and other risks? The first step is to identify them. For example, identify how many other sites are accessed through the company’s systems; what is ordered online; what email lists employees are on, professional or otherwise. Is customer data transferred to another organization; if so, who has access to the systems, and what is necessary for them to use the system; are employees able to access the internet freely, or are there restrictions in place? These are just some of the ways to identify risks.
One of the key ways to protect data is employee training. Far too often, employees use simplistic passwords because they are easy to remember. Short and simple passwords are practically a gift to hackers, making it exceedingly easy for hackers to access any system. Likewise, employees need to be taught to beware of illegitimate emails that appear genuine. Many times, hackers will use a threatening or demanding type of email that appears to be from a vendor or company management to fool someone into opening an attachment. This is one of the most simple and effective ways for hackers to enter a company’s computers.
Cybercriminals only need one small business lapse to gain entry to a much larger network. Often, the lack of internal controls allows for numerous opportunities for theft. According to Microsoft, criminals can pose as insiders within a network for more than three months before being detected, and when they do steal data, the breach costs the average company about $3.8 million. According to the Ponemon report, costs related to cybercrime and remediation lead to 60% of small to medium-sized businesses failing within six months of a cyberattack.
Cyber insurance
Insurance is available to protect a business against cyber events, and an individual can purchase credit monitoring and identity theft protection. There are now more than 500 insurance companies offering either stand-alone or package cyber policies. A good broker can assist insureds in helping them to manage cyber risks and seek out coverage that will meet their needs.
Remember, the best defense is a good offense. Nowhere is this more important than in the area of cybersecurity.
Karen L. Sorrell, CPCU, (ksorrell@alm.com) is an editor with FC&S Online, the authority on insurance coverage interpretation and analysis for the P&C industry. It’s the resource agents, brokers, risk managers, underwriters, and adjusters rely on to research commercial and personal lines coverage issues. Visit www.NationalUnderwriter.com for more information.
Related: