Cyber security's 2 fronts: The tech and the peopleReprints
SAN FRANCISCO — Risk managers face a complex job in handling cyber security in that it is “extremely process oriented” while its effectiveness involves changing people's behavior.
“You're constantly fighting this battle” between the rules and “getting people to change what they need to do to make (the company) more secure,” said John Doernberg, Boston-based area vice president, cyber liability practice management, liability claims counsel, at Arthur J. Gallagher & Co., who spoke on a panel on risks at Business Insurance's 2015 Cyber Risk Summit in San Francisco Monday.
Mr. Doernberg suggested the best way to implement change is by “incremental improvements” rather than new initiatives. “Yes, you need to do different things … but you can protect yourselves a lot more if you get a little bit better at the many things you have to do across the range of your organization,” he said. Tom Kellermann, Irving, Texas-based chief cyber security officer for Trend Micro Inc., said, “You no longer need to know how to build a bullet to assassinate someone in cyber space” because toolkits and weaponry to do so can be downloaded. He spoke during the session called “So You're Not a Retailer, You're Still a Target (pun intended).”
He also warned against “secondary infections,” cyber intruders who continue to do mischief on your site even after the initial damage.
Tim Francis, Hartford, Connecticut-based vice president, business insurance, management and professional liability for Travelers Cos. Inc., also warned against situations where thieves learn something about a company and use that knowledge to create fake email chains, fooling the company into sending them money when an official is traveling overseas, for example.
In one case, he said, a transportation company bought a lot of gasoline. The thieves hacked into its fuel supplier, stole its credentials and sent a bill to the transportation company, which paid it. It was not aware of what happened until the supplier inquired about its payment, he said,
Panelists also warned about social “hacktivists” whose primary purpose may be political rather than criminal. There has been a “huge increase in actual hacking attempts from nation state-sponsored groups looking to steal information,” said Nick Graf, San Francisco-based consulting director of information security risk control for CNA Financial Corp.
Mr. Doernberg also relayed how one of his clients was notified of a breach, hired forensics investigators, spent a million dollars only to learn there had been no breach.
“Somebody was out a million (dollars). In that case, it turned out to be the insurers. You can do everything right, not have a problem and still spend a lot of money dealing with it,” he said.