What Sony Teaches Insurance Agents, Customers About Cyber Attacks
By now, most of you have heard about the crippling cyber attack enacted on Sony by what the U.S. Government is calling North Korea, though some hackers have their doubts. Regardless of who is responsible, the facts of the case are that Sony lost a great deal of credibility, damaged relationships with some of their top stars, failed to protect the data of countless employees, and, in a final bit of humiliation, was forced to pull release for its big Christmas Day release of the Seth Rogen-James Franco comedy The Interview.
It definitely hasn’t been a good month for the company, and considering that the hackers — Guardians of Peace — have made additional threats, it may be too early to stop worrying.
What Sony is facing is not unique to the vulnerabilities that most businesses face when it comes to cyber infrastructure. If only there was a way to determine risk and probability of a cyber attack so that it would be easier to plan for it.
Well, there may be.
Insurance Journal reports that risk modelers are hard at work developing tools for gauging cyber attack risk.
Reporter Luciana Lopez writes that “At least two risk modeling companies, RMS and AIR Worldwide, are trying to solve that puzzle, building a model that can help gauge how much havoc – in dollars and cents – such cyber breaches can cause.
“Everybody’s being attacked at this point,” said Scott Stransky, manager and principal scientist at AIR Worldwide. “We’re hoping to change that game.”
Earlier this year, the Ponemon Institute, in association with IBM, did a study finding that “the average total cost of a breach in the United States was $5.9 million.”
Sony’s final price tag could top $100 million, with some reports going much higher than that.
And the scary thing is that if it can happen to Sony, it could seemingly happen to anyone. After all, wouldn’t they have the money to put the proper safeguards in place to prevent hacking? The average user or small business doesn’t have the resources to combat threats of this intensity.
About the only “high note” at this point for the little guy is that hackers like GoP prefer big fish.
Still, that’s hardly reason not to take the proper precautions. And just what would those be?
First of all, put security in the hands of people who ‘get it.’
Famed security expert Marc W. Rogers examines the Sony situation.
“Let’s face it – most of today’s so-called “cutting edge” security defenses are either so specific, or so brittle, that they really don’t offer much meaningful protection against a sophisticated attacker or group of attackers. That doesn’t mean that we should let them off and give up every time someone plays the “APT” or “Sophisticated Attacker” card though. This is a significant area of weakness in the security industry – the truth is we are TERRIBLE at protecting against bespoke, unique attacks, let alone true zero days. There is some promising technology out there, but it’s clear that it just isn’t ready yet.
“While we are on the subject, and ignoring the inability of traditional AntiVirus to detect bespoke malware, just how did whatever Data Loss Prevention (DLP) solution that Sony uses miss terabytes of data flying out of their network? How did their sophisticated on-premise perimeter security appliances miss such huge anomalies in network traffic, machine usage or host relationships? How did they miss Sony’s own edge being hijacked and used as public bittorrent servers aiding the exfiltration of their data?”
While Rogers may be right that the technologies to stop sophisticated hackers “just aren’t there yet,” he highlights the one major tool that can stop a hack before it does too much damage: awareness.
This is something Sony lacked, and an error that could be fixed by hiring people of Rogers’ ilk to help monitor and protect a network from vulnerabilities.
How does all of this apply to the independent agent? Well, for starters, it means that you have to be vigilant and aware of all your accounts, operations, etc. Agents are just as prone to attacks as Sony Pictures Entertainment, so familiarize yourself with cyber security or hire someone proficient.
Next, it opens up the line of cyber insurance as a viable product for current and future customers. Cyber insurance can pay for a variety of unforeseen costs associated with a small- or large-scale attack.
Finally, encourage your business insurance clients to get tech-savvy. Again, awareness won’t solve or prevent all problems, but it can cut off issues before they swell out of proportion.
It’s a scary world we live in, that everything worked for can be gone in the blink of an eye. But with new technologies being explored daily, and your own swift knowledge and vigilance, the damages can be greatly minimized.