AIA Warns All Businesses on Dangers of Cyber Threats

August 15, 2003

The proliferation of the “MS Blaster” worm this week clearly demonstrates just how vulnerable both private and public sector entities remain to an ever-growing variety of cyber threats, according to the American Insurance Association (AIA).

In response, the insurer group urged businesses of all types to immediately institute preventative measures to mitigate the devastating losses that can occur as the result of cyber crime, cyber mischief, and/or cyber mistakes.

“Vigilance is key,” Eric Goldberg, AIA assistant general counsel, commented. “There is absolutely no doubt that the best defense against a number of cyber risks confronting businesses today is a well-constructed loss control program. Unfortunately, way too many businesses and individuals still wait for the latest high-profile outbreak or threat before focusing on and updating their own system security. That could be a very costly mistake.”

As the global economy has become increasingly dependent on technology, cyber crimes have continued to escalate; they include not only creation and distribution of malicious code (like viruses, worms or Trojan horses), but also unauthorized access by insiders (employees) and outsiders, theft of proprietary information, identity theft, software piracy, disruption of network traffic, financial fraud and electronic espionage.

Cyber-crime reportedly costs American business an estimated $14 billion annually, and the situation is getting worse.

The Computer Emergency Response Team (CERT) at Carnegie Mellon has found that the number of reported security incidents increased from 21,756 in 2000 to 82,094 in 2002, to 42,586 in the first quarter of 2003 alone. In its latest annual survey on cyber risk, the St. Paul Insurance Companies found that 90 percent of responding companies had detected at least one electronic breach of security in the previous 12 months, with 80 percent of those acknowledging a financial loss due to a breach.

While these numbers are alarming, they do not present the full picture of the frightening potential for loss. Just as dangerous to a company are internal threats, such as employees who inadvertently forward harmful computer code or attachments, give passwords to unauthorized users, violate other organizations’ copyrights, or fail to properly apply a patch to affected computers.

Despite this multitude of threats, much of corporate America remains vulnerable when it comes to electronic security. “The better course of action,” Goldberg said, “is to be proactive. Identify potential loss exposures, plug any holes that are found, and implement strong all-employee policies before any system weaknesses are exploited.”

AIA and its member companies offer the following tips for businesses to manage cyber-related risks:

*Conduct a comprehensive top-to-bottom analysis of network and
informational assets, evaluating potential weaknesses. Regularly
monitor any identified vulnerabilities.

*Make the cyber-risk management process an enterprise-wide priority and responsibility. Include all departments. Do not “silo” the process within the information technology department.

*Implement procedures for all employees to follow regarding data protection and access, including such key topics as changing passwords and screening e-mails and attachments. It is essential to educate employees about these procedures.

*Use appropriate, up-to-date security technology, including anti-virus
programs, firewalls and intrusion detection software (IDS). Apply updated patches and other fixes on a regular basis.

*Implement routine backup procedures and maintain off-site storage of backup data.

*Create a contingency plan to ensure business continuation in case of disaster. Document your network (hardware, software applications) and keep it up-to-date.

*Evaluate and be clear on the details of existing commercial property and liability insurance coverage. Determine if extra financial security -in addition to insurance – is warranted. Some cyber-related losses are not covered by standard commercial policies.

Topics Cyber

Was this article valuable?

Here are more articles you may enjoy.