Risk Management Solutions: Response to Cyber Threats and Cyberterrorism

As business grows ever more dependent on the Internet, the battle to keep corporate networks safe grows ever hotter and more costly. Security experts had called 2003 the worst year ever for computer viruses. It may not keep that title long: just four weeks into the New Year, the fastest-spreading computer virus ever hit computer networks worldwide.

The Mydoom virus sent 100 million infected e-mails in the first 36 hours, and accounted for roughly a quarter of global e-mail traffic on Jan. 26, 2004. The previous record-holder, last year’s damaging Sobig virus, accounted for one in 17 e-mail messages sent at its peak and infected 500,000 computers. As potent as Mydoom was, it was only the latest example of the flood of malicious code that courses through the Internet.

Dozens of viruses are launched onto the Internet every day, hundreds every month. Two decades after the term computer virus was coined, there are now more than 80,000 viruses in existence. Highlighting the danger posed by computer viruses, the U.S. government announced a nationally-coordinated alert system for such threats in January even as Mydoom was rampaging across the Internet. The threats posed by viruses are growing rapidly, making computer security an essential part of a company’s overall risk management program.

A threat to financial stability
Computer viruses not only hit a company’s technology infrastructure, they can hurt its bottom line. A small bit of malicious code can disrupt business, damage files, destroy critical data, hinder communications, keep employees idle, prevent customers or clients from doing business and potentially expose a company to legal liabilities. While corporate computer security spending has been growing, businesses need to recognize that they cannot foresee and protect against all threats. For that reason, companies should consider a technology liability insurance program to complement their computer security efforts.

While headlines carry somewhat fanciful names for viruses, the damage they cause is altogether serious.

Over the past year, viruses such as Sobig, Blaster and Slammer have caused widespread disruptions. Slammer temporarily knocked out most of one national bank’s automatic teller network. Sobig disrupted East Coast freight and passenger rail traffic and hobbled Canadian airline reservation systems. Computer security experts have speculated the huge blackout that hit the Northeast last summer may have been exacerbated by Blaster, which hit the Internet a few days earlier. The slowing of real-time data back to electrical system operators due to the network congestion caused by Blaster may have kept them in the dark about the true state of the power grid. Recently, a popular online payment system was hit with a blended spam-and-virus attack using an e-mail that purported to be from the company in a bid to get customers to surrender private information, a scam known as “phishing.” At the same time, the virus would send itself out to all the e-mail addresses stored on the hard drive.

Emerging threats
As the latest outbreaks have underscored, new threats are emerging all the time. As software companies rush new products or updates to market, security glitches inevitably emerge. This has led to an ever-increasing number of patches to fix the flaws. Hackers actively monitor Web sites for the announcement of those patches in order to write new viruses to exploit the flaws before users can inoculate their computers. Computer criminals also are actively seeking to mount “zero-day” attacks that exploit unrecognized flaws. Along with an increase in the sheer number of viruses that hit the Internet, has come an increase in their sophistication.

The Mydoom virus was spread not only by e-mail, but also via file-sharing software. Hackers have moved far beyond Internet graffiti and virtual vandalism, they are creating e-mail borne viruses and worms that can leave behind Trojan horse programs to track a user’s keystrokes and harvest sensitive information, such as credit card numbers. The recent Bagle worm, or self-replicating virus, didn’t just crawl through address books. Rather, it aggressively sought out e-mail addresses in text and other files. It also opened a back door to allow the virus author back into infected computers. Other viruses can leave computers open to be controlled remotely and hackers were actively scanning the Internet to find machines infected by the Mydoom virus for this purpose. The infected machines can be turned into “zombie” computers to send spam or mount future coordinated assaults on the Internet or even against a specific target.

Two versions of the Mydoom virus carried programs to use infected computers to launch later attacks against Microsoft and a smaller software company, SCO Group, whose Web site was then knocked out by the onslaught. The Sobig virus was programmed to instruct infected computers to download an unknown program from specified computers, but the FBI helped quash that threat. The growing use of instant messaging and devices such as smart phones may open up new avenues of infiltration. There is also the danger that current viruses are only probing attacks to find weaknesses for more damaging viruses to come. That includes the threat of cyberterrorism against critical infrastructure.

IT security—top priority
Because virus writers never stop seeking new opportunities, businesses need to be just as vigilant. Security must be a priority not just for corporate IT departments, but for risk managers and the whole enterprise. Companies need to know who has access to their systems and how. Security policies should be enforced from the network to the laptop. People are one of the biggest vulnerabilities in any system. At one brokerage house, a disgruntled former employee was able to launch a computer virus that hit about two-thirds of its computers, causing about $3 million in damage. The employee had hoped to profit from the damage he caused by selling the company’s stock short. Careless employees may infect a network by clicking on an unknown attachment or unwittingly downloading a virus from a file-sharing service. Hackers prey on that carelessness with e-mail subject lines from “Hi” to “Delivery Error” in an attempt to trick unwary users to download viruses. They may forge e-mail headers to look like the message was sent from a trusted company, a move known as “spoofing.”

Beyond educating employees, companies need to establish and maintain adequate computer hardware and software defenses. That includes installing robust firewalls, hardening and properly configuring network routers, using and updating anti-virus software, and installing patches for vulnerabilities as soon as they become known. Systems should be tested rigorously and often to make sure they are secure. On top of the security measures, businesses also need to plan adequately in case they are hit by a virus. That includes having sufficient back up systems so that a mission-critical system can be taken off-line if it is infected, critical data should be backed up frequently.

Patrick Donnelly, managing director, technology and professional risk, Aon Financial Services Group, comments on the vulnerability of an organization’s information systems, “Reliance on networked systems and information assets continue to grow, and curious, malicious or careless members of the network global economy continue to pose a serious threat to individuals, corporations, and governments.”

The most thorough computer security program, however, cannot protect against all threats. The proportion of corporate IT budgets spent on computer security has quadrupled in the last five years to roughly 10 percent, according to Good Harbor Consulting. Yet, just over half of senior security executives say they are only “somewhat confident” about their IT security measures, a survey by CSO magazine showed. There is reason for concern. New threats emerge every day, and there is always the potential for a virus that damages a company’s computer systems, causes it to lose critical data, disrupts business, damages its reputation or opens it up to legal claims from another company. Technology and professional liability insurance can help bridge the residual risk that prudent logical security measures cannot effectively eliminate. Such insurance policies can include technology and Internet E&O coverage, electronic media liability, network operations security liability and cyber-extortion.

The danger from computer viruses is here to stay. In today’s interconnected world, there may be trade-offs between heightened security and greater convenience for employees, suppliers and clients. Technology that makes work easier, however, may create opportunities for hackers. A vigorous and vigilant computer security program is a must. But computer security is no longer just a concern for the IT department, it’s a critical issue for the whole enterprise.

“There is now a much better idea as to which risk management technique to apply to various threat scenarios. As a result, we’ve seen an increase in all areas—security spending, awareness programs, and contractual transfer of risk to business partners and insurers,” Donnelly said.

Ultimately, risk managers should work with their IT department to ensure that a company’s security systems and procedures are the best possible, and work with an insurer to protect against the new and unexpected threats. Brad Gow is vice president of business
development for ACE Professional Risk, a part of ACE Diversified Risk, where he is responsible for Technology E&O product development as
well as overseeing Technology E&O underwriting operations. Gow has more than 15 years experience in product development for professional liability and cyber risk exposures and developing network security, incident response and forensic computer investigation
services for the insurance industry. ACE USA, a U.S-based operating division of The ACE Group of Companies, is headed by ACE
Limited.