Secret Service Agent Says Many Cyber Breaches Go Unreported

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancejournal.com/news/west/2014/03/07/322748.htm

Many breaches in data security may be going unreported by American
businesses.

That's according to Kirk Arthur, supervisory special agent for the U.S.
Secret Service's San Francisco field office.

"Businesses simply don't report it," said Arthur, who was speaking in front
of a crowd of insurance professionals on Thursday at the behest of the
Golden Gate Chapter of the Chartered Property Casualty Underwriters Society
during the group's "All Industry Day."

The group held their daylong conference the Delancey Street Conference
Center, which houses a residential self-help organization for former
substance abusers, ex-convicts, homeless and others.

Arthur was among a group of people addressing the topic of cyber security,
covering topics like Target Corp.'s  recent multi-million customer data
breach and the newly issued Executive Order 13636, which Grace Crickett,
senior vice president and chief risk and compliance officer of AAA Northern
California, Nevada and Utah, said has garnered increasingly more attention
from the nation's ranks of chief information security officers.

"The CISO community is taking it very seriously and is really reacting as
if it's mandatory," Crickett said.

The order is voluntary, but it does have some good suggestions, including
compliance and risk practices, she added.

The order, titled "Improving Critical Infrastructure Cybersecurity," was
issued in February by the office of the president. It also deals with
cybersecurity information sharing, privacy and it offers a framework to
reduce cyber risk.

With that in mind, Crickett posed the first question that companies, and
underwriters, should be asking IT executives:

"Is there an increase in attacks on your system?"

The answer's likely to be "Yes" in light of what Jim Patterson, western
zone network security and privacy specialist for AIG had to share.

According to Patterson, the number of cyber breaches that AIG's clients
experienced in 2013 was up 73 percent from the year prior.

"Either we're doing a terrible job of underwriting risk or breaches are
going up," he said.

Patterson said AIG has been writing cyber risk for more than 15 years, and
that the amount of coverage they write has been growing every year.

And when you add up paying to inform customers of breaches, investigating
and fixing the breaches, and other measures that are required of a paying
insurer, the claims from breaches are considerable, he said.

The average breach for AIG's mid-market clients, those companies with
between $10 million and $500 million in annual revenue, costs AIG roughly
$500,000, he said.

"We're not talking about a small amount when we have a breach," he said.

But the most vulnerable of the nations' businesses may be those that are
the smallest and least capable, or willing, to take steps to protect their
data, according to Arthur.

Arthur noted that more than 80 percent of U.S. businesses have 20 or fewer
employees, and that such businesses typically are technologically
unsophisticated, they often set up their point of sale system and forget
about it and many of them neglect to update or even buy anti-virus software.

"At lot of it is negligence," Arthur said.

Compounding this issue is that many of those companies then fail to report
their breaches, either fearing negative publicity or because of the belief
nothing can be done about it, he said.

"Target happens every day to businesses across the country," he said.

While Arthur shared several success stories in which data thieves were
caught in rings that stretched from the U.S. to the Ukraine and back, he
said that government cuts in personnel have made it tougher to detect and
catch the growing number of cyber criminals.

"We can't catch every breach that happens," he said.

The Secret Service had an ongoing hiring freeze for the last several years
and has only recently begun to hire agents again, while during the
recession deep cuts were made to key links along the justice chain from
Department of Justice through the rest of the U.S. penal system, he added.

"At the end of the day you need people investigating this and you need
people going to jail," Arthur said.

That point was driven home by David Lewison, national co-practice leader
for financial service practice for AmWins Group Inc., who later highlighted
the fact that many of these breaches are being carried about by lone
hackers on $400 laptops.

"You don't have to be a big, bad shoot 'em up guy to steal data," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!