Cyber criminals widen scope of industries to attackReprints
The health care and retail sectors, among others, will continue to be primary targets for cyber hackers for the foreseeable future.
But, hackers will also expand their efforts to attack all sorts of companies, say experts, who point to smaller companies, especially those that serve as vendors to larger firms, as particularly vulnerable.
Furthermore, despite companies' best practices, their efforts are generally defensive, as creative hackers keep developing ways to attack firms.
Retailers and health care entities are particular targets because of the vast amounts of data they hold. But the the introduction of chip and PIN technology on payment cards may promise at least a partial solution for retailers.
Payment cards are “a significant vulnerability right now that's been identified, and companies are working toward” the new technology, “but it's costly, and it's an expense they didn't anticipate, so it's going to take some time to get established and integrated into the network,” said Peter Foster, New York-based senior vice president of network security and privacy, media, tech professional and intellectual property at Willis North America Inc.
With respect to health care, a study issued this month by Traverse City, Michigan-based Ponemon Institute L.L.C. found that more than 90% of the firms participating in its health care data security study have had a breach, and 40% have had more than five over the past two years.
There is a perception that, because of limited resources, health care does a poorer job than other sectors in managing cyber risk.
“If you look at some of the largest health care entities, they've grown partially organically, but they have also grown externally by acquisition,” said Kevin Kalinich, Chicago-based global practice leader of cyber risk solutions at Aon Risk Solutions.
“When you expand by acquisition, it's entirely difficult, complicated and expensive to integrate legacy computer systems,” he said. Furthermore, the sector has also been affected by the transition from hard-copy records to electronic health records, which has further increased its vulnerability, Mr. Kalinich said.
At the same time, “they're still trying to make their services more efficient and easier for patients to use, which is medical care's first obligation,” he said.
It is also inaccurate to say health care, retail, financial and hospitality industries have been the largest targets of cyber attacks, Mr. Kalinich said.
There have also been attacks affecting the pharmaceutical, agribusiness, manufacturing and aviation sectors, but the public is less aware of these, in part because certain industries such as health care must report this information, putting them under more scrutiny, he said.
Sarah Stephens, London-based head of cyber, technology and media errors and omissions at JLT Specialty Ltd., said she believes hospitality and anything related to travel, including airports and airlines, will become targets in particular. She referred, for instance, to a report by British Airways P.L.C. in March of unauthorized activity relating to some of its frequent-flyer Executive Club accounts.
The targets will expand over time, said Matt Donovan, Atlanta-based national underwriting leader for technology and privacy at Hiscox USA. “You have a lot of people” who search for open ports on firewalls, which basically allow them to access networks and acquire information, he said.
“Hacker criminals are opportunists, and they will attack anyone and everyone who they think will get them some return on their time and their effort,” said Robert Parisi, Marsh USA Inc.'s national cyber product leader in New York.
These will include smaller companies. “Unfortunately,” he said, “smaller companies can be more vulnerable than their larger brethren,” which is a function of large organizations having more money to spend.
“Now smaller companies are actually being used in an effort to access larger companies as a springboard,” said William P. Cosgrove, Stamford, Connecticut-based managing principal and practice leader for financial institutions at Edgewood Partners Insurance Center Inc., which does business as EPIC.
Risk managers who are securing their own hardware and assets must make sure their vendors are doing the same, or they are “going to be the entry into your system for the bad guys,” said Eric Cernak, Hartford, Connecticut-based Munich Re U.S. cyber risk practice leader for Munich Reinsurance Co.'s Hartford Steam Boiler & Insurance Co. unit.
Immediate profit is not necessarily the hacker's motive, say experts. Nicholas Economidis, Houston-based underwriter of professional liability and specialty lines at Beazley P.L.C, said hackers may be seeking intellectual property data, have a political agenda or be motivated by curiosity or to see whether they can find security flaws.
Defenders are inherently one step behind attackers, Mr. Donovan said. Companies must continually defend themselves against new threats as the hackers discover new vulnerabilities, he said.
The problem with system intrusions is that “the best-laid plans are typically being sort of second-guessed” and overcome by the hackers, said Katherine Keefe, Philadelphia-based global head of Beazley's Breach Response Services, pointing to the data breach at Indianapolis-based Anthem Inc., which she said was hacked despite its size, sophistication and considerable information technology budget.
Mr. Parisi said it is not a matter of having a zero-loss mindset, but rather one of resiliency and of how well-prepared a company is to deal with a disaster or business interruption.
“Resilience is really the issue people are looking at today,” he said.