5 major cyber hacks and the tools that might stop them next time

5 major cyber hacks and the tools that might stop them next time

This article originally appeared on The Next Web

feature img

2015 might be remembered as the year of the hacker. Just by using the Internet, you’re subject to all manner of ways your private information is put at risk – tracking, malware, identity theft and data breaches… the list goes on.

The number of victims of cybercrime and identity theft is growing exponentially and the average financial loss is now in the thousands of dollars per victim — and counting

Criminals and hackers are always a few steps ahead of consumers. While being online has made our lives noticeably better, conveniences like social networks, shopping and banking have also made it easier for others to collect our personal data. Not to mention the millions of customers affected when a company trusted with this information doesn’t have the protocols in place to keep it safe.

Last week, ScottradeT-Mobile and Patreon each announced they were victims of hacking, currently affecting a combined total of over 20.8 million users and customers. After all is said and done (and uploaded to the Internet), customers and users are the ultimate victims of corporate data breaches.

So how do you make sure those with access to your most personal information are keeping it safe? Thanks to software advances, interesting new products to keep tracking and hacking to a minimum are growing in number. Here are this year’s most notable cyber attacks and my personal software suggestions that may have prevented them.


A match made in cyber heaven

Around 37 million people were compromised in the Ashley Madison incident. And since nobody deserves to have their information stolen, who’s better equipped to keep watch over a community of sneaky people than an army of friendly hackers.

An interesting company that could have helped Ashley Madison prevent the attack: HackerOne.

Created by security leaders from Facebook, Microsoft and Google, HackerOne is the first vulnerability management and bug bounty platform. Their service streamlines communication between security researchers and the internal customer response team, improving productivity with an easy-to-use coordination platform to manage vulnerabilities from disclosure through resolution.

When you’re part of the problem, not part of the solution

UCLA Health’s poor security and lack of encryptions was partially to blame when it was hit by a massive theft of 4.5 million records earlier this year, with customer data – including Social Security numbers, and medical data such as conditions, medications, procedures, and test results were compromised. The simple use of encryption may have stopped the breach all together.

With Cloud storage use on the rise, nCrypted Cloudprotects the privacy of its members and corporate data residing in the public cloud. Share, track and control access to files in seconds from existing cloud providers on any device.


The taxman cometh and the hacker taketh away

The IRS data breach affected around 100,000 taxpayers thanks to a flaw in the IRS’ system which allowed hackers to access past filed tax returns, including sensitive financial information and Social Security data. It’s said that the breach cost taxpayers $50 million in fraudulent claims.

While the US government would never host outside itself, if they did, perhaps it could implement Golden Frog in order to rid themselves of so many pesky flaws.

A global service provider committed to preserving an open and secure Internet experience while respecting user privacy, the company owns and manages 100% of its own servers, hardware, network and DNS to ensure the highest levels of security, privacy and service delivery.

Not very good at keeping secrets

The OPM hack, which affected over 22.1 million people, could be the single most damaging breach to US national security of all time. Entire backgrounds checks were stolen by an unknown assailant. Now that this information is out, perfect blackmail material to gain swathes of sensitive or classified data, those affected must be exponentially cautious.

The Jason Borne of data privacy, Privitar Global is differentiating itself as a leader. Privitar Global aims to facilitate the use, collaboration and trade of data while adopting an uncompromising approach to protecting personal private information.

Spy and government workers may want to try out myAKA. While the service won’t self destruct, it does add a layer of privacy and safety between yourself and those you share your phone number with by using a second phone number.


When your healthcare provider betrays you

Anthem, a US health insurance firm, lost more than 80 million customer records when it was hacked at the start of this year, along with around 19 million rejected customers because data was not encrypted. From Social Security numbers to birth dates and addresses, enough personal data was stolen to steal identities.

Behold: SpiderOak. Believing that the user alone should hold the key to decrypt their data, SpiderOak provides Zero Knowledge privacy solutions to individuals, groups and enterprises. Their cross platform products are designed to either be hosted or run on-premise. From evaluating the latest threat models, to building surveillance resistant systems, SpiderOak products are some of the most reliable, innovative and private.

Check out the full list of both security and privacy companies on Index.

Read Next: Minecraft is being used to seek out cybersecurity talent

This article was written by Lauren Gilmore from The Next Web and was legally licensed through the NewsCred publisher network.

Counter cybersecurity threats with a human-machine dual strategy

Counter cybersecurity threats with a human-machine dual strategy

Earlier this year, the 3.5-hour outage at the New York Stock Exchange (NYSE) raised a lot of eyebrows in the IT community. Opinions about the cause of this outage, including my own, came out of the woodwork despite official statements claiming “technical issues” following a software update. I have to ask: Would the NYSE really perform a software update on a production system first thing Wednesday morning?

While I can’t rule out a hack on the NYSE, the situation sparks another discussion: Was human error to blame?

If this was a technical glitch due to a software update, then it’s clear a human error was made somewhere down the line. What businesses don’t understand is that even a small mistake in router code can cause a colossal issue like this. More importantly, human error leaves any size organization vulnerable, and it’s hard to plan when the vulnerability isn’t apparent.

In response to catastrophes caused by human error, many IT processes have become automated. In our own data center, we’ve automated everything from temperature to security to reporting, so our time can be used as efficiently as possible and we can avoid mistakes. 

But not all processes can be automated. Machines lack at least two features humans have: intuition and experience. For example, during a data center walk-through inspection, the senses of sight, smell, and hearing are critically important. Sure, we have tools to help us troubleshoot problems like security glitches or overheating, but humans can see and connect the dots on things computers can’t.

In a recent Bloomberg Business interview , Garrett Schubert of EMC was asked about the attacks his security operations center faces everyday. Since EMC is a big target, the SOC gets to know their hackers by analyzing their patterns. The author of the article, Michael Riley, describes it like this:

“Hackers have personalities that show up in the tactics they use—their digital habits, if you will. It’s like playing a high-stakes game of chess with an opponent sitting a continent away.”

The ability to identify those hackers’ patterns enables EMC to address and neutralize threats more effectively. Connecting the dots between hacker behavior, their identity, and their likely next move would not be possible without human intuition.

Balancing humans and machines in order to get the best of both

The reality is that we can remove human error with automated IT processes, but we’ll never be able to remove human interaction. Human intuition is as important a tool in the IT arsenal as malware or security measures. However, as businesses, we must also be strategic about the resources we allocate to everyday tasks. 

My advice? Automate as many IT processes as possible: temperature setting, reporting, security alerts, and more, but include a human touch point or fail-safe in each of those processes. Think about where most issues could or do happen in your business and incorporate human review processes into those areas.

IT processes help your business avoid errors, but human intuition can counter threats to which your machines are blind.

This article was written by Rich Banta from NetworkWorld and was legally licensed through the NewsCred publisher network.

Study cites cybercrime's rising costs to corporations

Study cites cybercrime’s rising costs to corporations

NEW YORK (AP) — Cybercrime costs are climbing for companies both in the U.S. and overseas amid a slew of high-profile breaches, according to research released Tuesday.

A sixth-annual study by the Ponemon Institute pegged the average annual cost of cybercrime per large U.S. company at $15.4 million. That’s up 19 percent from $12.7 million a year ago.

It also represents an 82 percent jump from Ponemon’s inaugural study six years ago.

Individually, cybercrime costs for the U.S. companies surveyed varied dramatically, ranging from $1.9 million to $65 million. And the average cost of a cyberattack on a U.S. company rose 22 percent to $1.9 million from $1.5 million.

Globally, the average annualized cost of cybercrime increased 1.9 percent from last year to $7.7 million.

“As an industry we’re getting better, but attacks are becoming much more invasive and sophisticated,” said Andrzej Kawalec, chief technology officer for Hewlett-Packard Co.’s HP Enterprise Security, which sponsored the study and sells cybersecurity services to businesses.

The study examined the total cost of responding to cybercrime incidents, including detection, recovery, investigation and incident-response management. It also looked at after-the-fact expenses designed to prevent additional costs stemming from the potential loss of business or customers.

Recent expensive and embarrassing breaches at companies including Target, Home Depot and Sony Pictures have prompted many companies to boost their cyberdefenses.

The study looked at a sample of 58 U.S. companies with at least 1,000 connections to its computer network. Globally, the study analyzed data from 252 companies in the U.S., United Kingdom, Germany, Australia, Japan, Russia and Brazil.


Follow Bree Fowler at https://twitter.com/APBreeFowler

This article was written by Bree Fowler from The Associated Press and was legally licensed through the NewsCred publisher network.

Average business spends $15 million battling cybercrime

Average business spends $15 million battling cybercrime

The average U.S. company of 1,000 employees or more spends $15 million a year battling cybercrime, up 20 percent compared to last year, according to a report released today.

Attacks involving malicious code, malware, viruses, worms, trojans and botnets accounted for 40 percent of this cost, followed by 16 percent for denial of services, 14 percent for phishing and social engineering, 12 percent for web-based attacks, 10 percent for malicious insiders and 7 percent for stolen devices.

One of the reasons for the high cost of battling cybercrime is that it takes an average of 46 days to contain a successful attack after it has been detected, said Larry Ponemon, chairman and founder at Traverse City, MI-based Ponemon Institute, LLC

“Companies spend $43,000 a day, on average, for containment costs,” he said.

The attacks are also happening more frequently, he added, and many are becoming more severe.

There was a wide variation in how much individual companies spent on battling cybercrime, from $1.9 million on the low end all the way up to $65 million a year.

Larger companies tended to spend more in total, though they had lower per-employee costs than smaller companies.

The report also looked at other factors, both organizational and technological, that can affect the cost of defending against a cyberattack.

For example, Ponemon looked at several technologies that lowered defense costs.

“Companies that invested in these technologies did that much better than those who did not,” said Eric Schou, director of product marketing for HP Security.

The best-performing technology was security intelligence systems, which, on average, saved companies $3.7 million in cost. That translates to an average return on investment of 32 percent.

Companies that used encryption extensively saved $1.4 million a year, but, because of the lower cost of the technology, saw an average return on investment of 27 percent.

Advanced perimeter controls and firewall technologies saved $2.5 million a year, for a return on investment of 15 percent.

Technologies which had a return on investment of 10 percent or less were IT governance, risk and compliance tools, data loss prevention tools, and automated policy management tools.

The biggest organizational or management factor was having sufficient budget for cybersecurity — this reduced costs by $2.8 million a year.

Next, employment of expert security personnel saved companies $2.1 million a year, and hiring a CISO or similar high-level security leader saved $2.0 million.

Substantial training and security awareness activities saved companies $1.5 million, and extensive use of security metrics saved $1 million.

Ponemon added that these numbers do not add up in a linear fashion since they can be interdependent.

The results are based on over 2,100 interviews that the Ponemon conducted over the past 11 months. The research was sponsored by HP.

The research covered six other countries besides the U.S. — the U.K., Japan, Germany, Australia, Brazil, and Russia.

Average global costs of containing a cyberbreach were $7.7 million, or about half that of the U.S. alone.

This article was written by Maria Korolov from CSO and was legally licensed through the NewsCred publisher network.

Technicians are pictured as they work on the simulator control panel during an exercise on nuclear security at the Civaux Nuclear Power plant, 34 kms southeast of Poitiers, western France, on September 22, 2015

Nuclear power plants warned on cyber security

Operators of nuclear power plants worldwide are “struggling” to adapt to the increasing and potentially dangerous threat of cyber attacks, a report warned Monday.

The nuclear industry “is beginning -– but struggling -– to come to grips with this new, insidious threat,” the Chatham House think-tank in London said in a study based on 18 months of investigation.

Its findings suggest that nuclear plants “lack preparedness for a large-scale cyber security emergency, and there would be considerable problems in trying to coordinate an adequate response.”

It highlighted insufficient funding and training, a “paucity” of regulatory standards, increasing use of digital systems and greater use of cheaper but riskier commercial “off-the-shelf” software.

In addition there is a “pervading myth” that nuclear power plants are protected because they are “air gapped” — in other words not connected to the Internet.

In fact, many nuclear facilities have gradually developed some form of Internet connectivity, and computer systems can be infected with a USB drive or other removable media devices.

This was the case with Stuxnet, a virus reportedly developed by the United States and Israel — and implanted with a flash drive — which caused Iran’s nuclear facilities major problems in 2010.

Chatham House added that Stuxnet, which it said is also believed to have infected a Russian nuclear plant, has had the unintended effect of teaching cyber criminals how to improve their techniques.

“Once Stuxnet’s existence became publicly known, hackers around the world took inspiration from the way it functioned and incorporated some of its features into malware to suit their own purposes,” it said.

This article was from Agence France Presse and was legally licensed through the NewsCred publisher network.

Cybersecurity for the work-anywhere generation

Cybersecurity for the work-anywhere generation

Businesses are coming under frequent and increasingly brazen attacks from computer hackers looking to steal sensitive data about customers and disrupt their operations. But many organisations are failing to take adequate steps to repel these onslaughts and often seem clueless about what to do when they happen.

This summer’s scandal, when hackers attacked the Ashley Madison adultery website – posting confidential details online about 33 million accounts – should serve as a wake-up call to businesses, especially those dealing with personal data. They need to protect their customers’ data from cyber-attack – or see their reputations shredded.

The attack on French TV network TV5Monde in April was even more worrying. The hackers managed to keep the TV channels off air for several hours and posted a message on the organisation’s website claiming to be from Jihadists associated with Isis. Threats were made against the families of French security personnel. Reports later suggested that French authorities suspected the hand of a hacking group with links to the Russian government.

But wherever the threats come from – and there are plenty of diverse groups and individuals looking to mount such attacks – many organisations seem powerless to stop the intruders and protect their data.

To discuss how businesses and other organisations can boost their cybersecurity, The Guardian, in association with Fujitsu and Symantec, brought together senior online security experts, academics and compliance managers for a roundtable discussion entitled: “Data protection: a critical part of good corporate citizenship?” Participants examined strategies for protecting IT networks from attack and discussed the steps organisations must take to ensure they safeguard their customers’ data better.

Part of the problem is that anti-hacking technology such as antivirus software and firewalls have become so sophisticated that hackers have decided to concentrate their efforts on “social engineering” attacks. These involve tricking members of staff into giving away usernames, passwords and other details that can be used to log in to networks.

Another risk is that staff may leave laptops, mobiles and documents containing sensitive information in public places, or fall for telephone scammers looking to extract private information.

The panel agreed that educating staff to be more aware of these threats is vital, and that with people increasingly working from different locations – at home, in cafes, on the train or plane – the risks are increasing.

Zeshan Sattar - Guardian/Fujitsu Roundtable Discussion on data protection, 15/09/2015.

Zeshan Sattar: “Yes, we can look at the technology, but we also need to look at the human risk.” Photograph: James Drew Turner

As Zeshan Sattar, a certification evangelist at CompTIA, a trade body for small businesses, said: “People want to work anywhere and everywhere. They open their laptop up and it is confidential – they are really not thinking about what they are doing. Yes, we can look at the technology, but we also need to look at the people and the human risk.”

Rather than blaming staff for these failings, should companies be be implementing basic cyber-hygiene in their systems? Or is there not much they can do to protect themselves?

“Determined hackers can get in anywhere,” said David Smith, deputy commissioner and director of data protection for the Information Commissioner’s Office, “but in lots of the cases that come to us, if basic measures had been in place, hackers wouldn’t have got in the way they got in.” Fines are levied where companies have failed to take adequate protection, he added.

Auriol Stevens, director of the Lockheed Martin virtual technology cluster at Restoration Partners, said the onus was on businesses to find clear ways of explaining the dangers of hacking.

“You need to tell people about the threats in simple terms. People didn’t understand war theory (in WW2) but they understood ‘Careless talk costs lives,’” she said.

Mariarosaria Taddeo - Guardian/Fujitsu Roundtable Discussion on data protection, 15/09/2015.

Mariarosaria Taddeo: “Provide people with information about why the data is important rather than treating people as stupid.” Photograph: James Drew Turner

But Mariarosaria Taddeo, researcher at the Oxford Internet Institute at University of Oxford, warned against oversimplifying the issues. She said organisations need to focus on explaining the dangers better.

“Provide people with information about why the data is important rather than treating people as stupid and just saying it is confidential – explain why that matters. Words like confidential can be cliquey and the word policy turns people off – you’ve lost them.”

One of the big debates is whether organisations should allow staff to use their own smartphones, tablets and laptops for work – so-called “Bring your own device”. This increases risk, because these devices can be more easily accessed by hackers.

Where companies provide devices to staff, workers tend to store their work in cloud services, then transfer it over to their own devices, which makes the data vulnerable. One way around this is what is known as “choose your own device” where staff are given a budget and allowed to buy a device of their choice.

Sian John, chief strategist for EMEA at Symantec, explained the dangers of this strategy: “If you don’t spend enough people will just put files in the cloud or email them to themselves and then open them on a personal device. It’s worth spending extra on a fancy, top-of-the-range machine to make it less likely they will put work on their own device.”

An underlying problem for many organisations is a lack of understanding about the importance of data and security. Until the boards and senior managers grasp that data is a hugely valuable asset for their business, they will always demote cybersecurity in their list of priorities.

Jane Wainwright, director of cybersecurity & data protection at PwC, said it is not the responsibility of either the IT department or the security department to explain the value of data – it is a job for senior management.

“What I want to hear from them is: ‘We protect data because it is the right thing to do for our customers.’ It’s good if you can use the values of an organisation to get people to understand why the data they have access to matters.”

Leaving data security solely to the IT department can create problems, said Mark Edwards, technical director at Capital Network Solutions. “Quite often, the IT department will see it as a failure in their role if they have an incident, so they’ll try and cover it up for as long as possible.”

Some believe that it is inevitable hackers will find their way into corporate networks, so these should be segmented and structured so the intruders cannot move around and access data with ease.

A significant issue with the TV5Monde attack in April was that the hack seemed to have started at a relatively low level, with a phishing email that three members of staff replied to, allowing the hackers to infiltrate the system with Trojan Horse malware, which tricks users into installing a malicious computer program. The hackers were then able to pass through the firewalls and access not just staff computers and Twitter and Facebook accounts, but also the servers that controlled TV production. This raises questions over the effectiveness of firewalls that separate different areas of operation. Companies need effective “air gaps” where their IT systems are not connected, so hacks cannot spread.

Shirin Shah, manager of governance, risk, control and compliance at EDF Energy, said the business operates separate systems for different parts of the business.

Shirin Shah - Guardian/Fujitsu Roundtable Discussion on data protection, 15/09/2015.

Shirin Shah: “We have segregated networks, so for our nuclear business there is a totally separate and much more secure network.” Photograph: James Drew Turner

“We have segregated networks, so for our nuclear business there is a totally separate and much more secure network. We have three networks at the moment, so the different parts of the business are segregated according to the risk. We have a customer side of the business where we need to be quite open and communicate with our customers and the other part of business is very secure and locked down.”

Andy Herrington, head of cyber professional services at Fujitsu, said it could it could be another generation before people get a good grasp of risk management in IT. But he believes the Ashley Madison attack was a watershed. “In 10 or 20 years’ time people may look back and say there was a sea change because it affected people in a very personal way.” And he added: “Look at the Titanic – it fundamentally changed safety at sea almost instantaneously.”

Siraj Ahmed Shaikh, cybersecurity lead at Knowledge Transfer Network, said there needs to be a clearer view of the role technology plays in society. “Is technology just a service or is it an infrastructure, in which case we regulate it.”

David Evans, director of policy and community at BCS, the Chartered Institute for IT, said people need to have a better idea about how trustworthy different organisations are with their data. This could have huge implications for the future of digital technology, such as the Internet of Things (IoT). “If we don’t have trust we’ll have a massive digital switch off. Many of the people providing the building blocks for the IoT are worried about a lack of trust in digital services, because it will stuff up the market for them.”

Hack attacks will continue. But the future of digital services will depend on organisations getting better at protecting their customers’ data and finding ways to keep the hackers at bay.

At the table

Samuel Gibbs (Chair) Technology journalist, the Guardian News and Media

Mark Edwards Technical director, Capital Network Solutions

David Evans Director of policy and community, BCS, The Chartered Institute for IT

Andy Herrington Head of cyber professional services, Fujitsu

Sian John Chief strategist, EMEA, Symantec

Zeshan Sattar Certification evangelist, CompTIA

Shirin Shah Governance, risk, control and compliance manager, EDF Energy

Siraj Ahmed Shaikh Cybersecurity lead, Knowledge Transfer Network

David Smith Deputy commissioner and director of data, Information Commissioner’s Office

Auriol Stevens Director, Lockheed Martin virtual protection technology cluster, Restoration Partners

Mariarosaria Taddeo Researcher, Oxford Internet Institute, University of Oxford

Jane Wainwright Director, cybersecurity and data protection, PwC

This content has been sponsored by Fujitsu and Symantec (whose brands it displays). All content is editorially independent. Contact Ashley Evans
(ashley.evans@theguardian.com). For information on debates visit:

This article originally appeared on guardian.co.uk

This article was written by David Benady from The Guardian and was legally licensed through the NewsCred publisher network.

Hacked T-Mobile Data For Sale On Dark Net

Hacked T-Mobile Data For Sale On Dark Net

T-Mobile storefront

Names, addresses, Social Security numbers, birthdays and other sensitive personal information belonging to some of the 15 million T-Mobile customers who had their information hacked is already for sale on the Internet’s black market, one cybersecurity firm reported. A number of new listings have surfaced on the dark net, the firm said, advertising information that exactly matches the type of T-Mobile payment information that was taken from credit check company Experian.

Listings for FULLZ data, a reference to someone who’s been hacked, were posted throughout the dark net Friday, just one day after T-Mobile reported that partner Experian was breached between September 2013 and September 2015. It’s possible that the listings are fake, an example of one illicit data broker trying to trick another into buying information that appears to have been obtained in the T-Mobile breach. Experian previously said there has been no indication that customer information has been used whoever was behind the breach.

“Once fraudstarers get their hands on data, they typically unload it very quickly,” a spokesperson for the Irish fraud detection company Trustev told VentureBeat, which first reported the story this weekend. “So like I saidm it’s not definitely T-Mobile/Experian, but it’s extremely likely considering the type of data and timing.”

A description below one ad reproduced by VentureBeat notes that the ad is for 10 records, at $1 per record, and payable in bitcoin.

This article was written by Jeff Stone from International Business Times and was legally licensed through the NewsCred publisher network.

Eugene Kaspersky, CEO of Kaspersky Lab, speaks in Washington on June 4, 2013

Kaspersky boss warns of emerging cybercrime threats

Russian online security specialist Eugene Kaspersky says cybercriminals will one day go for bigger targets than PCs and mobiles, sabotaging entire transport networks, electrical grids or financial systems.

The online threat is growing fast with one in 20 computers running on Microsoft Windows already compromised, the founder and chief executive of security software company Kaspersky Lab told AFP this week on the sidelines of a cybersecurity conference in Monaco.

QUESTION: How do cybercriminals work?

ANSWER: For every new device or operating system, there are hackers who will try to show off their skills by breaching its security, Kaspersky said.

“And then the criminals come,” he said.

Cybercriminals break into systems by using the holes exposed by hackers, he added. Once in, they seek personal financial data; encrypt corporate computers so as to get a ransom for their release; and infect computers with “botnet” software that makes the machines infect yet more victims.

“Today we see more than 300,000 unique attacks every day,” Kaspersky said. “Five percent of all computers in the world connected to the Internet running with Windows are infected.”

QUESTION: As an average user of the Internet, should I be worried?

ANSWER: You need to be aware of the threats and take care to avoid being an “easy victim”, Kaspersky said, stressing that it is not just a question of installing security software.

“It’s like everyday life. If you just stay at home and if you don’t have visitors, you are quite safe. But if you like to walk around to any district of your city, you have to be aware of their street crimes. Same for the Internet.”

QUESTION: What is the next likely target for cybercriminals?

ANSWER: The big fear is that extremist groups hire hackers to compromise entire infrastructure networks, Kaspersky said.

“The next step is cyber sabotage, attacks on physical infrastructures and critical data,” he said.

“They will target transportation infrastructures, electric grids, financial data, healthcare systems,” he warned.

This article was from Agence France Presse and was legally licensed through the NewsCred publisher network.

Who pays for cybercrime?

Who pays for cybercrime?

Cybercrime is becoming such a common occurrence. Too many of us have to hear about and become familiar with the Deep Web sooner than I ever dreamed we would. I heard Charlie Miller and Chris Valasek – the presenters at Black Hat who hacked a 2014 Jeep Cherokee’s onboard computer sparking a massive vehicle recall – say that “everything is hackable.” And it is. If you think you’re safe then you’re likely next if you have anything of valuable personally or professionally.

What are the costs of cybercrime?

With all these cybercrimes that include database breaches of government personnel identities, big box store credit card numbers and customer data, and fingerprint databases that number in the millions, who pays? What costs are incurred?

From a high-level, the costs – at a minimum – are:

  • Lost customers for the big box stores that were hit in the past 1-2 years
  • Lawsuits and settlements for those customers affected by the breaches on these stores’ databases
  • Individuals who have to fix identities and get new cards and personal information issued
  • Corporations paying large dollars for cybercrime insurance (more on this below)
  • Corporations paying handsomely for risk and cybercrime prevention planning and consulting

Cybercrime insurance – an interesting new twist

There are always opportunists out there looking to capitalize on the latest victims and cybercrime is no exception. Cybersecurity insurance seems to be the rage these days. Lloyds of London – those insurers who cover Keith Richards’ fingers and your favorite college quarterback’s arm who decides to stay in college one more year – are big into cybersecurity insurance. The problem is, they are insuring the loss – insurance against data loss, malware and service attacks, data breached and cybercrime – not helping prevent cybercrime in anyway.

Focusing on the consequences, not the causes

So, who pays? Well, consumers pay, I guess. Chubb – a leading provider of insurance coverage – also offers insurance against cybercrime…as do most large carriers and many smaller insurers popping up and entering the lucrative cybercrime insurance market. Companies seeking out insurance against cybercrimes are focusing on the consequences of cybercrime, not the causes, by purchasing liability and errors-and-omissions insurance.

As Chubb states, “Unfortunately, many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when. When a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.” Chubb’s insurance covers direct loss, legal liability, and consequential loss resulting from cyber security breaches.

As the cost of cybercrime losses rises and the frequency of cybercrime events also rises, the costs of those payouts will be passed on to consumers of all insurance policies with companies like Chubb. It’s called free enterprise. One such insurer – Marsh & Mclennan – which offers cyber insurance, has estimated that the market for cybercrime insurance doubled last year to as much as $2 billion.

Is C-level representation the answer?

I personally propose a C-level cybersecurity representation now in organizations of any notable size handling any sensitive data and information and running any projects with sensitive data for important clients that they want to keep long term. After all, it only takes one breach for you to lose many customers and gain a certain reputation that you really don’t want to have. And if you’re one of those corporations and you haven’t been hit yet…don’t worry…you will. Given the prevalence of digital terrorism, cyber attacks are a question of when, not if.

Summary / call for input?

What are your experiences with cybercrime? Has your organization been affected? What risk or avoidance measures are you taking or planning to take to guard against cybercrime? Has there been a consideration to make a cybersecurity position a C-level representation?

This article was written by Brad Egeland from CIO and was legally licensed through the NewsCred publisher network.

Cue another Israeli security success story -- Dome9 pockets Series B

Cue another Israeli security success story — Dome9 pockets Series B

Israel’s famed 8200 cyber-security military unit is a crucible for the creation of leading-edge cyber security products. That is hardly surprising; there is unlikely to be any country, organization or enterprise that has a larger attack vector than Israel — be it physical or virtual. And given that the vast majority of young people in Israel need to perform compulsory military service, you have a massive amount of talent coming through the unit. At the other end of that many 8200 veterans go on to become a part of commercial cyber-security companies.

One company that has come out of the broader Israeli cyber-security space is Dome9. Dome9 is a public cloud security and compliance vendor which is focused on the orchestration of security policies, risk visualization and threat remediation. The company covers a number of different public clouds including Amazon Web Services (AWS), Windows Azure, and IBM Softlayer.

Of course AWS is the biggest of the public cloud vendors so it is perhaps unsurprising that Dome9 chose this week, the week in which AWS hosts its annual re:Invent conference, to announce its Series B funding. The company has raised $8.3 million from a round led by ORR Partners and including new Investors Lazarus and JAL Ventures. Existing investors Opus Capital Ventures also participated in the round. This round brings total funding to date to $13 million.

The opportunity here is huge — public cloud uptake is massive and growing incredibly fast. At the same time almost on a daily basis we hear of new security incidents which put organizations’ data, and the data of its customers, at risk. Mature organizations know that a retreat from the public cloud isn’t an option. Rather, leveraging solutions which allow the sort of agility that the public cloud offers, while still ensuring compliance and security, is the winning combination.

There are a huge number of players in the broader cloud-security space and there will likely be some consolidation and rationalization down the road. For now, however, Dome9 seems to be doing everything right.

This article was written by Ben Kepes from Computerworld and was legally licensed through the NewsCred publisher network.