You can patch software, but not humans and that’s a key reason cyber attacks continue to occur, Verizon’s Asia-Pacific regional managing principal Paul Black told the AILA conference.

Co-presenter Chubb assistant vice president Andrew Taylor agreed, saying people were the weakest link in computer security. “It’s not an IT problem, it’s a people problem.”

He said most security breaches were “careless rather than malicious”. About 70% of data breaches were caused by internal people who used weak passwords or visited websites that generated means for “cyber crims” to access the system.

Mr Black said Verizon’s 2013 data breach investigations report, which compiled global data from government agencies, like the Australian Federal Police and the US Secret Service, identified 47,000 security incidents involving theft of 44 million records. “No one is immune. There’s a perception the bad guys are only going for big organisations, but that’s not the case.”

Attackers fell into one of three categories – activists, criminals and spies. Activists wanted to maximise disruption. They used basic methods and were opportunistic. Criminals were motivated by financial gain, used calculated, complex methods, and traded information for cash. Often merchants whose websites were compromised were unaware. “It can happen to anyone selling on line,” Mr Black warned.

Techniques were always being modified. For example, after the Boston bombings, appeal sites were established that looked legitimate but downloaded malware to systems via computers that browsed the sites. “It’s very difficult to protect against targeted attacks.”

Mr Black said the Verizon report contained “some scary numbers”. For example, 69% of breaches were spotted by external parties and, of those, 9% by customers. In 84% of cases, the time from the initial attack to a system being compromised was a few hours or less.

Mr Taylor said the costs of recovering content and finding how systems were breached was becoming more expensive. “The crisis management and investigation costs are too big for some businesses to incur and survive. People say they have good IT departments and firewalls, but criminals can get through and are stealing intellectual property and data every day.”

He said good cyber liability insurance covered organisations for first party expenses; business interruption and extra expenses; and third party liability. It covered gaps that “industrial-age policies”, like general liability, ISR, professional indemnity and crime, could not. For example, if a company was shut down by a cyber attack, its ISR policy would not cover business interruption costs because there was no property damage.

The policy should include coverage for impaired access - if customers cannot gain access; conduit liability, if a system is used to launch an attack; and notification expenses. Even without mandatory notification laws it was good business practice to alert customers if their information had been breached.

“It’s people, not technology, that create weaknesses. It’s a big cost, but can be transferred by insurance,” Mr Taylor said.

• Back to top