About 40% of cyber claims arise from hacking and network intrusion, says Zurich’s Tim Stapleton. Here, he gives a step-by-step account on mitigating the risk

Tim Stapleton Zurich

Every hour of every day the number of cyber attacks on the UK exceeds 1,000. They could have come from a teenager in a bedroom, a disgruntled company employee or a sophisticated Chinese cyber gang looking to steal data. Regardless of the source, however, most security experts agree that organisations are facing an increasing amount of hacking attacks.

Some of these attacks are obvious: data theft, system shutdowns and social media takeovers. Think back to the Target attack in 2013, when credit card details of 40 million customers were stolen; the South Korean attack earlier that year that shut down banks and TV stations for up to five days and ongoing attempts to derail high-profile organisations such as Mastercard, PayPal and eBay.

It is not surprising then that cyber risk was identified as one of the top five threats for financial institutions, in a survey conducted by StrategicRISK and Zurich this month. A staggering 65% of investment and retail banks as well as insurers said cyber was among their top five risks.

“Looking at insurance claims history, between 30% and 40% of cyber-related claims arise from hacking and network intrusion, says Tim Stapleton, global underwriting manager at Zurich.

“The nature of information that financial institutes hold makes them very vulnerable to targeted attacks,” he adds.

“It is inevitable that perpetrators – whether internal members of staff or external hackers – will be successful in their endeavours to either harm the company and/or steal data for their own benefit,” he adds.

For this reason, Stapleton says a more effective approach to dealing with cyber risk is for businesses to consider how to manage an attack once they have surfaced rather than to focus on how to prevent the inevitable.

Here, he outlines five key steps in the fight against cyber crime.

1: Adopt ‘least privilege’ or need-to-know accessibility policies 

First turning to insider fraud, one of the most effective methods against this crime is to enforce what is known as ‘least privilege’ or need-to-know accessibility. These policies stipulate that each employee is provided with the least set of privileges or access to restricted or sensitive information necessary to complete the job. We have seen companies fall short by providing too many employees with more access to sensitive data than they need to do their jobs.

2. Segregate your data

For all types of cyber attacks, it is advisable that companies segregate their data so that sensitive information is not found in one place. This means that if an attacker breaks into certain systems, they are limited in what they can access.

3. Install encryption technologies

Encryption is one of the most effective existing mitigation strategies. Many attacks are smash-and-grab incidences, where perpetrators get in, take as much information as they can and get out. They are generally looking for a target of opportunity and plain text data is absolutely a higher target of opportunity than protected and encrypted data.

4. Install malware detection software  

Malware protection and prevention is absolutely vital. Many data breaches in the retail sector are caused by malware that sits on the companies’ systems and networks for months without detection. Malware detection software and patch management (procedures and technologies responsible for keeping computers current with updates are key in preventing such attacks.”

5. Hold your vendors to high standards 

Third-party vendors have accounted for a high percentage of breaches. In many cases, companies are not adequately vetting the information security and privacy risk management controls that third parties have in place and to whom they entrust sensitive information. It is important to have a stringent set of criteria in place to use as a basis for evaluating new and existing vendors and business partners. In addition, it is best practice to specifically address indemnity and insurance protections in contracts in case of fraud or data breach issues.