Leader's Edge Global Scale Return to Table of ContentsTell the Editor
Leader's Edge


The Hacktivist Gunslinger

If cyberspace is the world’s new wild, wild West, the hacktivist is the new outlaw.

By  Coletta Kemper

What costs more than the $288 billion black market for marijuana, cocaine and heroin combined? You expose yourself to it every day, at your home and at your office, every time you log in to your computer. It’s cybercrime, of course, and its cost in time, money and reputation is enormous and growing.

Norton, an Internet security firm, says the cost of global cybercrime reached $388 billion last year. The Ponemon Institute estimates the average cost of a data breach hit $7.1 million last year—$214 for each compromised data record. Sony estimates that data breaches it suffered last year will cost $200 million (some think it will be much more). The software firm McAfee estimates that, in 2008, “companies worldwide lost more than $1 trillion from IP and data theft.”

No one is immune. Every 19 seconds someone somewhere is victimized by cybercrime. Small and large businesses, governments, nonprofits and individuals have all been targets. Cyber risks come in many forms, from malicious hacking to identity theft to espionage and terrorism.

Last year McAfee uncovered a massive cyber spying operation, likely carried out by China, dubbed “Operation Aurora.” The malware attacked Google, Adobe, Northrop Grumman, Dow Chemical, the United Nations and dozens more companies, governments and nonprofits around the world. The attacks were systematic, sophisticated and well resourced—the type of attack often launched by a government or an organized crime group.

Loose-knit hacktivist groups, such as Anonymous and LulzSec, recently wreaked havoc on some very high-profile targets, including the Vatican, Sony and the CIA. A LulzSec leader who threatened to burn down the White House was recently arrested. Hacktivists are not just computer geeks living in their parents’ basements looking for some excitement. They can attack anytime, anyplace and anyone.

Even scarier, the world’s most critical infrastructures—oil, gas and electric grids—are at risk. A 2010 report by McAfee and the Center for Strategic and International Studies, “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” said nearly 70% of those surveyed frequently found malware designed to sabotage their systems.

What’s troubling is how few are prepared. In a 2011 follow-up report, McAfee found only a handful of those responding to the survey use sophisticated off-site security measures, a quarter have tools in place to monitor networks, and only 36% use tools to detect anomalies. Yet nearly 40% expect a major attack within the year. To make matters worse, recession-driven cutbacks in security have left many companies exposed.

With the threat to consumers, industry, the infrastructure and national security growing, you would think governments would place a priority on cyber risks. Interestingly, China, Italy and Japan have twice the security measures in place as Brazil, France and Mexico. The U.S. and the EU lag behind. The most vulnerable to attack are the U.S., Russia and China.

Governments are stepping up, but not soon enough. The EU is considering a new directive to harmonize data privacy laws across Europe, but the process could take several years to ratify. A number of EU countries are acting on their own and adopting data privacy regulations that require data breach notification to customers.

U.S. privacy laws vary state-to-state, but 46 states require organizations to notify customers of data breaches. There is no federal law, but the Obama administration supports one. Last October the Securities and Exchange Commission issued new guidelines on corporate responsibility for disclosing cyber attacks and their cost to shareholders. The guidelines also require companies to disclose “a description of relevant insurance coverage.”

Cyber liability insurance is a new frontier. Advisen research found that only a third of the companies it surveyed had a cyber insurance policy. Despite the increase in cyber risks and the potential harm an attack can do to customers and a company’s reputation, many companies don’t think they need it or figure other policies will cover their losses. The bad news is they often don’t. Sony is still battling with its insurers over coverage of its cyber attack.

Emily Freeman, a cyber insurance broker at Lockton, says most policies cover the “twin risks of privacy and security.” Policies can include business interruption, notification costs, class-action lawsuits, IT forensic auditing, legal costs, fines and extortion.

< Prev1 2 Next >
(2 pages)
 Return to Table of Contents

Email PagePrint PageArticle reprintsArticle tools sponsored by

Full Leader's Edge Archive. Previously published articles, listed by subject below.

arrow Industry Leaders    arrow Wholesalers    arrow Legal Issues   arrow Regulatory Issues  
arrow International Risk arrow Human Resources    arrow Sales Issues   arrow Industry News
arrow Regulatory News    arrow Market News   arrow Cartoons