Ransomware hacks an emerging risk for companies

SINGAPORE — “Ransomware,” a type of hack whereby a company's employees innocently click on a malware link that apparently originates from inside the company and a message appears saying all of a company's data will be encrypted and inaccessible unless a ransom is paid, has so far been confined to a large extent to Australia, a Microsoft Corp. security executive said.

But, “I know it's coming” elsewhere, said Pierre G. Noel, Singapore-based chief security officer for Microsoft Asia.

One of several speakers discussing cyber risks during the inaugural Asian Risk Management Conference Dec. 8-9, sponsored by the Pan-Asia Risk and Insurance Management Association, Mr. Noel said cyber attackers have also been launching “dark hotel” attacks, in which top corporate executives' computers are hacked during their hotel stays.

The cyber attackers introduce their malware when the executives hook up their computers and sign on, Mr. Noel said.

Part of the advice he offered to address cyber attacks is that companies classify their data in terms of importance.

“If you protect your paper and diamonds with equal vigor,” he said, then “you don't have security. No classification means you have no clue what is your crown jewel from what is garbage.”

He also warned against hiring cyber consultants who propose principles that are unaligned with the organization's culture. “Don't forget the corporate culture,” he said.

Firms also need someone who is responsible for the organization's security “and he or she knows it,” Mr. Noel said. You have no security “unless you have that,” he said.

“Behind every security problem is a human being,” he said. “Training someone once a year will not address the problem.”

“All of us have to work with our organizations to make them more resilient,” said Julia Graham, president of the Federation of European Risk Management Associations, who also spoke during the session.

Risk managers have a tendency to step away from the subject of cyber risks and tell their firms' chief information officers “it's your job” to address the problem, “but we have to step up as risks managers,” said Ms. Graham, who is also director of insurance and risk management at law firm DLA Piper L.L.P. in London.

“You need to be up there understanding these issues and working with CIOs and others within your organization,” she said.

Ms. Graham also recommended against an overreliance on cyber security standards, in part because the long time it takes to develop them could make them outdated. Furthermore, if you work for a small or medium-size company, they “often don't work for you. They're too complicated,” she said.

What happens after a breach occurs can be more damaging then the breach itself, said Michael W. Smith, New York-based chief operating officer, global commercial insurance, at AIG Property Casualty, a unit of American International Group Inc.

“Bad news spreads really fast, and your reputation can be damaged in an afternoon, so how you respond and how you treat your customers is important if you do have a breach,” Mr. Smith said.

Marco Gercke, director of the Cybercrime Research Institute in Cologne, Germany, said during a session that firms that have not necessarily done anything wrong can still be victims of cyber-attacks.

Sony Corp., for instance, has invested millions in its data security, yet was victimized in 2011 and again recently, said Mr. Gercke, referring to the 2011 hacking of Sony's PlayStation Network, as well as last month's massive data breach of its Sony Pictures Entertainment Inc. unit.

Once companies realize that “100% prevention is not possible,” they may then prepare their resources for responding to such attacks, Mr. Gercke said.

Mr. Gercke also advised companies to focus on third-party vendors when they address cyber issues. Some companies may have as many as thousands of pages of instruction on how to address cyber risks in their own firms, but “what a lot of them forget is the vendors,” he said.