Under cyber attack

As of 6 April 2010, UK businesses can be fined up to £500,000 as a penalty for serious breaches of the Data Protection Act. It is hoped the new powers, announced by the Information Commissioner’s Office (ICO), will encourage organisations to better protect sensitive data.

Cyber criminals are increasingly targeting companies. More than 800 security breaches were reported to the ICO in just over two years, with nearly 262 a result of theft where the personal information was held on an unencrypted portable device.

With many organisations vulnerable to online fraud, it pays to minimise the risks of data theft. Specialist insurance solutions are also available to protect companies against the fallout of a cyber attack.

Emerging risk

Cyber criminals are becoming more organised. In 2009, a major cybercrime network was exposed and closed down in Ukraine’s capital Kiev. What was significant about the network was how much it resembled a bona fide business, with a well-staffed office which took up three floors including a receptionist, HR department and dedicated call centre.

The hundreds of hackers employed by the company were mostly students, who were paid large bonuses to design viruses used to infect computer networks around the world.

“The legitimate side of their business was then contacting all the people they knew they’d infected and providing a solution,” explains Dan Hopkinson, a partner at Lockton and author of a white paper entitled UK Identity Theft: Urban Legend or Real Risk?

“It highlights that it’s proper organised crime,” he says. “Our view is that this should be on the agenda of every board in any organisation that relies on technology to either function or where they hold lots of personally identifiable data.”

The potential costs of data breach are enormous. The sixth largest payment processor in the US, Heartland Payment Systems, recently announced a major breach involving 130 million credit and debit card transactions. It cost companies, banks and insurers an estimated $200m. The hacker responsible has received two 20-year sentences.

Damaged reputations

Beyond the actual cost of the breach and any fine incurred there is also the reputational damage for organisations to consider.

“The bigger issue is customers voting with their feet – or more accurately with their mouse clicks,” writes Hopkinson in the white paper. “The reputational damage following a data leak can severely damage any business.”

Catalogue firm Argos was recently criticised for sending emails to customers that contained unencrypted credit card details. While it is not known whether any of this data was stolen, the negative publicity surrounding the breach could impact heavily on the firm’s revenue. Fear of fraud is the main factor deterring people from buying more online.

With more and more organisations relying on the internet for their businesses, cyber crime will become a key challenge for the future. “There are not many businesses that don’t rely on technology now so we see this as equally important as your traditional business interruption or your property or whatever other policy you want to name,” Hopkinson says.

Working with Kiln Syndicate 510, Lockton has developed a Business Resilience product that covers online fraud, data breaches and other forms of cyber risk. It also compensates companies for the loss of revenue linked to the reputational damage caused by a data breach.

“If businesses are run well and their practices are tight, this sort of insurance needs to sit alongside everything else they carry to make sure they’re properly protected,” Hopkinson concludes.