Ethan Pitts, underwriter of cyber risks and commercial crime at Camargue, on the theft of information from companies, and how to combat hackers


Q: How serious is cybercrime today, particularly in SA?
Cybercrime is the second-most reported crime globally, according to a 2016 PwC report, and continues to grow, given it is a lucrative revenue stream. It carries fewer risks of being caught than traditional crime as there are not enough forensic specialists in the field to help identify, locate and prosecute such criminals. These individuals also do not need to worry about operating in a single jurisdiction but can throw their net across wider territories and leverage technology to economise and scale up their business model – ironically in the exact same way as a legitimate company.

SA is no exception and businesses of all sizes are experiencing an increase in their exposure to online scams. WannaCry ransomware – a virus worm that emerged last year – is one such. It traps victims in an extortion racket by forcing them to pay to decrypt their critical files and information. We are also seeing the growth of a far more sophisticated criminal network developing in SA and the continent. Given the borderless nature of the internet, criminal skill sets are easily passed from one region to another, allowing for a massive boom in cybercrime over a relatively short period.

Q: What types of cybercrime exist, and what are the reasons behind it?
There are three main revenue streams for a cybercriminal to exploit: direct theft of funds; theft of information; and extortion demands. Theft of funds is easy to understand; criminals have simply moved from the physical realm into the cyber one. Theft of information, however, can be far more valuable. ‘Information is power’ and selling this on to third parties is very lucrative. Such third parties may be identity fraud syndicates that use personal information to clone online replicas of their victims, thereby gaining access to bank accounts, passports, educational degrees and lines of credit. Online black markets use healthcare information to forge genuine medical scripts for prescribed drugs that are sold at cost.  Corporate rivals leverage the confidential information acquired to gain market advantage.

Q: Who are the hackers, what is their reward and who contracts them?
The old stereotype of antisocial nerds sitting in their mothers’ basements is now irrelevant. Hackers leverage both excellent technical knowledge as well as interpersonal skills to attack companies simultaneously through their physical infrastructure and employees’ social bias. Some of the best hackers rely completely on social engineering to obtain passwords or sensitive information from their victims, including employees as they are the weakest link in an organisation’s security perimeter. Most hackers are motivated by money. They sell their skill set to the highest bidder. Some hackers are motivated idealists, hacking for a cause ranging from social justice and environmental activism to political beliefs.

A significant number of hackers are contracted by a victim’s rivals. With pharmaceutical industries having spent nearly $150 billion globally in research and development, there is a huge pay-off should a rival gain the upper hand without having to spend the resources to advance naturally. Entities that can easily spend hundreds of millions of dollars to pioneer the development of new drugs need to be cognisant of the crosshairs their organisations may find themselves in. We are also seeing a consistent attack on SA legal firms, likely for the confidential or damaging information they hold on high-profile legal cases.

Q: What are the impacts on a business?
The main concern executives express is the potential legal liability should their companies be held accountable for failing to prevent a breach. Many directors also fear they could be held personally liable for failing to provide the due level of care and protection of their information resources. This is especially true for the financial sector that holds a large amount of sensitive client information. What SA executives should be equally concerned about is the brand impact and potential lost revenue and costs incurred from system downtime. With ransomware and other hacking attacks that are designed to cripple a business, many organisations stand to lose a lot of money if they are down for a day, a week or longer. The costs of getting a system up and running again can be a large portion of the overall damage.

Perhaps the most overlooked issue is the consequence of brand damage to an organisation. The latest scandal to hit Facebook regarding its extensive collecting and sharing of data with third parties cost the company $50 billion in market cap over a 48-hour period. The cost to mitigate this damage can be expensive but actually relatively small when compared to the negative impact of sales or share value.

Q: What type of information is targeted?
Financial information is the easiest to convert into real money for hackers, or the markets they sell to, but it is also the most regulated industry. Banks and other large institutions holding such information usually have the budget to apply extensive security against these attacks. The hackers’ biggest return on investment comes from obtaining personal information on individuals, which can be used in numerous ways; cloning an identity, for example, to provide a new nationality to an illegal immigrant. Potential blackmail opportunities come from sourcing medical records that disclose sexual preference, STDs or HIV status. Personal information is seen as a filler that enables criminals to pass the standard authentication questions posed by banks. In this way personal information can be sold to multiple buyers rather than just for a once-off credit card and pin number combination.

Q: Once a cybercrime is detected, how is the problem fixed?
The Ponemon Institute, which undertakes research on privacy, data protection and information security policy, conducted a global study – including SA – in 2017 and found that it takes an average of six months before companies realise they have a breach, with another two months to resolve. It is crucial therefore to have a disaster recovery plan in place before an incident occurs. This allows employees to minimise damage either by quarantining compromised computer systems or mitigating potential brand damage. Fixing the actual exploits usually requires IT forensics and other cybersecurity experts.

Q: What should companies do the moment they realise there is an attack?
An early warning may be a large amount of net- work traffic from an unexpected geographic location or source in the network. This usually indicates a large file transfer process or unauthorised user. The first step is to quarantine the intrusion to a single location, thereby preventing further damage. If this is a compromised workstation or server, taking it offline can be an easy way to deny the attackers further access. It is rarely a simple process to identify the source of a breach. Camargue’s cyber policy comes with access to a cohort of specialists in IT security and public relations who are on call to assist our clients immediately. No business leader can be expected to be an expert in all fields so the solution is to have an insurance product that protects the business post-loss while actively helping to mitigate loss.

Q: What types of businesses are the most vulnerable?
Typically large businesses such as international banks have the budget to install impressive security measures to prevent attacks. They are by no means invulnerable but can position their organisations out of the reach of most hackers. The real vulnerabilities lie in the SME or commercial-sized operations. These usually outsource IT functions and do not have a dedicated team monitoring the network 24/7 for disturbances. Any business collecting a large amount of data on their clients or those that rely heavily on computer systems to function and have funds that can be stolen or extorted becomes a target for hackers.

Q: How can customers be reassured their information is sufficiently protected?
A: We are seeing an increased drive by contractual partners to stipulate that a minimum level of insurance must be held by their vendors and service providers. This ensures that the victim of a breach has the funds to compensate the affected third parties as well as providing a level of oversight of the client’s security measures through the process of insurance underwriting. Reading through the end-user licence agreement or terms and conditions of a service provider will indicate exactly how data is handled. While this doesn’t necessarily help in understanding the level of security behind contractual promises, it does provide a level of assurance as to where your company’s data is and what it is being used for.

Q: What measures can be taken to prevent and mitigate risk?
Basic IT security such as firewalls and antivirus goes a long way towards protecting a business. That said, not all businesses have the budget flexibility to invest heavily into IT security. Cyber risk insurance is an important risk management tool to migrate losses away from the bottom line of the insured party. It’s always important to note though that no matter how impressive the physical IT security is, the weakest link is often the employee who clicks on a dodgy email. Training and awareness campaigns can drastically reduce the likelihood of becoming a victim of cybercrime.

By Kerry Dimmer
Image: Athiyah Cader Fataar