Travelers Insurance put together the top 5 cyber risks for businesses. There are no surprises in their list. They not only look at each risk but give associated costs with each risk. Let’s take a look at the top risks.
Cyber Risk #1: Human Error: Lost and Stolen Laptops and Smartphones
Everyone at one time has lost or misplaced their phone or laptop. Unfortunately mobile devices are easy to loose. Travelers takes a look at the cost of an employee losing a smartphone with sensitive data. This data could be credit card information, social security numbers of employees, protected health information (PHI) of patients, etc.
Company Profile: Professional Services | $40 Million Annual Revenue
Here is some insight into the cost of the breach:
In this example, an administrator at an employee benefits company lost his personal smartphone, which he used to access an unsecured database containing the records of more than 15,000 clients, including social security numbers and private health information.
- Losing the device resulted in costs for legal services, a forensic investigation and miscellaneous expenses.
- In addition to data breach notification and remediation costs, it also cost the company one of its largest clients.
- Several other clients are considering legal action against the firm for failing to prevent unauthorized access to electronic data containing confidential information of others.
The example looks at a midsize company with $40 Million in annual revenue. The key here is not the annual revenue but that there were 15,000 records with client information. You could be a $2 Million company and have a spreadsheet with 15,000 client records.
Cyber Risk #2: Hacker
No surprise here. It is hard to read the news without hearing about another company being hacked.
Cyber Risk #3: Spear Phishing: Social Engineering Targeted at Employees
Travelers gives an example of a Spear Phishing attack
How does an innocent-looking email lead to online banking fraud?
After the office manager of a firm opened an email that appeared to contain an invoice, the firm’s online banking account was commandeered. Clicking on the Trojan horse email triggered a computer virus that allowed criminals to disable security measures, including transfer verification emails.
- The office manager did not receive emails that would have informed the firm about wire transfers.
- The criminals then sent 26 wire transfers of $25,000 each to 20 individuals and small businesses around the world.
Company Profile: Business Services | $100 Million Annual Retail
Cyber Risk #4: Extortion
How can extortion by a rogue employee affect business?
In this example, a rogue employee gained access to a construction firm’s data system through an SQL injection and attempted to extort money in exchange for restoring essential project files. When the firm refused to pay, the employee threatened to destroy the files, which would have been catastrophic due to lack of an adequate backup system.
- After hiring a forensic IT expert, the firm was able to identify the employee and restore the files.
- There was a significant business interruption.
- The firm had to hire a crisis PR coach to explain missing a major project deadline.
Cyber Risk #5: Hacktivism: Social and Political “Hactivists”
What happens when weak encryption allows an international hacktivist to access an American hotel’s customer database?
More than 30,000 sensitive records, including credit card data and social security numbers, were exposed. The hotel pledged to do everything it could to protect its guests, but was surprised to learn what a breach this size could cost.
- The hotel had to pay significant notification and remediation costs.
- Regulators investigated the hotel’s cyber breach policies, which added considerable time and cost.
- Restoring the hotel’s reputation required investing in a complete rebranding campaign
Bottom-line
Cyber risks are a real business threat. The landscape has significantly changed and appears to only be getting worse. The Travelers’ report clearly shows that cyber risks can be very expensive to a company. In fact they can put a company out of business. And although Hacktivism is #5 on the list and is a real risk, companies might be best off initially focusing on lost or stolen smartphones and laptops along with preventing spear phishing and social engineering attacks.
