From the client, to the underwriter to the hacker, what are the big IT issues?
Aiden Fitzpatrick, IT director, Wiggle (internet sports retailer)
“The most prevalent issue at the moment is distributed denial of service (DDoS) attacks. There seems to be an epidemic of them. It’s not something that businesses tend to want to talk about publicly. We haven’t been the victim of one, but I do know of several really big e-commerce businesses that have.
“The attackers are able to muster a very large amount of bandwidth and a large number of connections, making it easy to overwhelm other systems. Generally it’s a lot easier to attack than it is to defend, and many businesses don’t have the ability to mitigate these onslaughts.
“There’s definitely a challenge in the UK over how to deal with these attacks from a legal perspective. In the past there was a hi-tech crime unit; now you have to report a DDoS at a normal police station.
“There’s also fraud, which on the whole poses less risk to the business; it’s not the same as somebody turning off a website or taking all of the money. They may get an amount of stock off us - and that’s fairly challenging - but it is manageable.
“Abiding by payment card industry guidelines means we don’t hold any credit card data ourselves. If someone did break into our network, they couldn’t get hold of other people’s payment details. We just don’t have it there to lose.”
The national broker
Ben Beeson, global technology and privacy partner, Lockton
“We’re the only team in the market that straddles the Atlantic, with one team in the USA and one in London. It’s only now that these risks are appearing outside of the USA.
“We’ve found the best way of staying ahead of emerging technology risks is to be on top of two agendas: how privacy laws are changing and IT security.
“On privacy, we work closely with the USA and stay current by engaging top law firms. In information security, partnering with the major IT firms helps us to understand the new threats coming over the line, and how best to address them.
“One example of that last year was the politically motivated hacker groups Anonymous and LulzSec: the whole concept of hacking for political reasons and not for monetary gain was new.
“The barrier to entry is becoming higher in terms of specialising on this within the insurance industry. It isn’t easy, but the opportunities get bigger as the risks get bigger.
“Most brokers who haven’t been doing business with the USA haven’t developed the expertise. That will change quite quickly.”
Iain Ainslie, technology and cyber liability underwriter, ACE
‘Cyber is an emerging insurance market, and although the risks have been there for some time, the increase in the number of attacks and the national press coverage some of these attacks receive has helped to increase awareness among businesses, brokers and insurers. These risks are not going away and it’s important to stay up-to-date and adapt products accordingly.
“A system failure or data corruption can be caused by a hacker attack, virus or a malicious ex-employee. This kind of interruption can result in lost revenues and rising costs, for example if hiring technical experts.
“In the aftermath of a data breach, a lot can be done to help protect the name of a business. Ensuring the right things are done and said at the right time can have a very positive effect on how a business is perceived to be managing a crisis. Breach response is extremely important.
“Understanding cyber risks is no different to understanding other risks. Attendance at relevant conferences and having regular discussions with security experts also helps with the learning process. Many brokers are well educated in this area and want to understand the risks better, and to provide a quality service to their clients.”
The regional broker
Nick Coe, sales director, Franklands
“Derby is a leading technology city. Most people associate Cambridge and Reading with technology, but Derby has 11.8% of the working population employed in the sector.
“We tend to find most brokers typically sell a standard commercial insurance product that often doesn’t meet the requirements of cyber liabilities, such as breach of duty and breach of care.
“We work with a number of leading technology insurers with very good offerings, meaning that we provide more than a standard commercial combined contract that you’d probably expect the local manufacturing company to purchase.
“The only downside for our sector is that if you have a client that’s very successful at what it does, it often gets bought out quite quickly.
“The technology sector has stood up well to the recession, because a lot of the contracts aren’t written for a short period of time like a construction contract might be. A lot of them are projects over a longer period, tying in with larger overall contracts, so it’s a lot more resilient.”
Jonathan Millican, winner of the GCHQ Cyber Security Challenge 2012, and Cambridge University undergraduate
“A lot of the time, security breaches are down to the system users. There’s often a big divide between the IT staff and the other people using the systems, and people rely on the IT guys to make everything secure.
“This is a fundamental misunderstanding: system security should be an ongoing process for everyone, rather than simply just a matter for IT and everybody else ignoring it.
“Having insecure passwords is an obvious example. If it’s a dictionary word, there are plenty of tools out there that can crack them pretty much instantly. Same if it’s a word from a hacker dictionary, which means commonly used words perhaps with the ‘A’s replaced with ‘4’s.
“Larger companies are most interesting to hackers. They often have many more ways in, and a lot more to get at once you are in. They’re more likely to have sensitive data, a lot of data, or lots of different user accounts to try out.
“Successful attacks usually depend on how good and how determined the hacker is. A high-profile company is a lot more likely to fall, just because they’re a bigger target, so they need to have good defences.”
- In his article ‘A Brief History of Hacking’, the BBC’s technology correspondent Mark Ward sets out the history of cyber security issues, from the advent of the internet to global cyber warfare today. You can find it free online at www.bbc.co.uk/news/technology-13686141
- The Information Commissioner’s Office has published EU data protection proposals, which outline why current data laws require updating, what the proposals will mean for companies operating in Europe, and also what the wider economic impacts will be. A range of resources around data laws and cyber risk can be found on the ICO website. www.ico.gov.uk
- DDoS (distributed denial of service) attacks are one of the most common forms of cyber warfare. Go to www.ddos-attacks.net for information on how they work and what you can do to help protect businesses from being disrupted.
- The economic cost of cyber attacks to businesses in the UK is estimated at £21bn per year. The Cabinet Office has published a report into the boom in cyber crime and what the implications are for businesses. This can be found at www.cabinetoffice.gov.uk/sites/default/files/resources/THE-COST-OF-CYBER-CRIME-SUMMARY-FINAL.pdf