Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Companies struggle to manage evolving cyber threats in wake of Target breach

Target data breach changes perception of risk for all organizations

Reprints

The cyber attack on Target Corp. last December showed the scale of the problem organizations face in guarding data, and attacks since then have shown how difficult it can be to find a solution.

Criminals are becoming even more sophisticated in the way they attack company networks and organizations need to devise response plans prior to an incident, cyber security experts said.

The search for answers on how to address the rising number of cyber attacks was a recurring subject during the Risk & Insurance Management Society Inc.'s annual meeting in Denver last month.

Mario Vitale, New York-based CEO of Aspen Insurance Holdings Ltd., said while insurers have been crafting cyber products for years, Target's recent problems have made the issue top-of-mind for risk managers and corporate boards.

“You are seeing losses every day from cyber risk, but Target was a watershed event,” Mr. Vitale said in an interview. “Retailers that previously didn't buy coverage are now buying it, and many that were already buying it and are now opting for bigger limits.”

Christopher J. Giovino, Wilton, Connecticut-based director of Aon Risk Solutions, said the brokerage has charted an increase in cyber extortion, where a company's data is compromised and held for ransom by hackers.

“Cyber loss knows no bounds and doesn't respect your business size,” Mr. Giovino said.

%%BREAK%%

If the data breach at Target reinforced the potential scale of damages, the discovery of the Heartbleed vulnerability reinforced how difficult cyber attacks can be to detect, said security expert Jason Healey, director of the Cyber Statecraft Initiative for Washington-based think tank The Atlantic Council.

Speaking during a briefing, Mr. Healey said even the most conscientious risk managers and chief information security officers were caught flat-footed by the Heartbleed bug, which defeated a popular encryption method used to secure Web communications.

“Heartbleed showed that we were all critically vulnerable to something that we hadn't even heard about,” Mr. Healey said. “Attackers will always have the high ground because we have to defend everywhere all the time and they only have to get it right once.”

Indeed, during a panel discussion, experts said hackers continually change tactics to extract information and money from companies.

Steve Visser, Denver-based managing director of disputes and investigations for Navigant Consulting Inc., said criminals have put new spins on timeworn tricks.

“While phishing type attacks have been going on for a while, what we are seeing more lately is perpetrators using stolen credentials to get into payroll systems or benefits management websites in order to divert payrolls,” he said.

%%BREAK%%

While cyber risks vary according to organization and type of data managed, Katherine Keefe, Philadelphia-based head of breach response services for Beazley Group P.L.C., said companies in the health care industry hold data particularly desired by thieves.

The recent push to convert to electronic health records has provided a target-rich environment for hackers looking to obtain Social Security numbers to file fraudulent tax returns. “The vulnerabilities of this industry are well-known by data thieves,” Ms. Keefe said.

Panelist Theodore J. Kobus III, New York-based partner at Baker & Hostetler L.L.P., recommended companies take a measured response. For example, a company that immediately calls in law enforcement officials before conducting a thorough internal forensic examination of the breach may find its computers seized by law enforcement officials.

Accordingly, he suggested organizations craft a simple, relatively short incident-response plan that can be easily digested and used to deal with a cyber attack before informing authorities.

Read Next