Cyber Crime – In Stealth

You know the feeling when you walk into a room and people are containing their laughter.  You know that they are laughing at you, but you don’t know why?  Well I wonder if any Nortel executives had that feeling for almost a decade when hackers had access to Nortel’s computers from 2000 to 2009 as reported by the Vancouver Sun here.  Generally when most think of a Cyber Crime we think of the events that it makes the front page news like the Sony data breach of 100,000,000 records in 2011 or the targeted industrial attack of Stuxnet that sabotaged Iran’s uranium enrichment facility in 2010.  But the hackers in the Nortel case are the cat burglars of cyber space.  They did not want to be noticed so that they could continue to mine Nortel’s data until Nortel went out of business.

In the article “Canadian Law Firms Hacked” by Jeremy Hainsworth here he has a great discussion with Daniel Tobok of Digital Wyzdon Inc. who talks about targeted stealth attacks. Some of the best quotes from the article include: “On the way out, it was that sophisticated that it started cleaning its own tracks.”  “Only experts to a point can clean up their own tracks”.  “Another day or two and it would have been completely clear…” “Only on a government level can someone go to that length of expertise.”  China is often blamed but Tobok goes on to say “The Russians cover their tracks by making it look like it’s coming from China…”

The front lines have travelled to cyber space.  While the number of breaches reported is escalating quickly, how many are going unnoticed?  Many do not realize that they are victims and those that do would rather not let anyone know about it.  The Personal Information Protection and Electronic Documents Act PIPEDA  in Canada does not currently require organizations to notify the commissioner’s office.  Mandatory reporting of data breaches is already widespread in the U.S. and we could see it in Ontario in the near future here (see Q7).  I wonder how many executives have done some research and came across Ponemon’s “Second Annual Cost of Cyber Crime Study” here, did the math on their possible exposure to a breach of their customer’s data resident on their system and swallowed hard when they realized that their company could have a large unfunded, yet to be disclosed, liability.   If you use Ponemon’s (un-statistical, see caveats) estimate of $214 per customer record breach it adds up in a hurry.  Good luck Sony.

“Surprisingly, although SMBs (Small & Medium Business) know the dangers of cyberattacks, they don’t feel they are at risk. In fact, half of SMBs think that because they are a small company, they aren’t in danger – it’s primarily large enterprises that have to worry about attacks. This is in direct contrast to the evidence.  According to data from Symantec.cloud, since the beginning of 2010, 40 percent of all targeted attacks have been directed at companies with fewer than 500 employees, compared to only 28 percent directed at large enterprises.” Symantec Survey.

Insurance policies are available to fund the Third and First Party exposures of a data breach claim.  They are new, complex, diverse in the range of coverage offered and require expert handling.  Of course they all exclude breaches that you are already aware of.  So while it is a good idea to fortify your Security Information and Event Management (SIEM) solutions to get a better handle on you network, you may wish to get your Cyber Liability policy in place before you learn too much more.

Gordon Collins is with Mitchell Sandham Inc, a (truly) independent company providing commercial, private client and financial services insurance.  His focus is on Commercial & Executive Liability and he be contacted at gcollins@mitchellsandham.com or (416) 862-1750.