8
Apr

Near term future consumer risks from successful malicious online activities look to grow

2-Color-Design-Hi-Res-100px-widthDespite what looks like a daily increase in the number of successful attempts to maliciously disrupt legitimate online activities, end consumers look more exposed, today, and for the near term future than ever before.

Two factors contribute to this assessment:

  1. Hacker tools now include a much richer supply of once legitimate access credentials. At the same time the set of organizations victimized by hacker successes are moving at too slow a pace towards safely pooling the kind of information critically important to an objective of better defending future victims from the next round of hacker activities
  2. Risk management programs–electronic data insurance policies–exist (and are available for businesses to purchase), but are not funded to an appropriate level, given the extent of business exposure to hacker activities. There is little indication of the underwriters of these programs adding much more financial power to them anytime soon.

Both of these factors are worth further description: proven methods exist to render information specific to organizations anonymous. As written earlier in this blog, I have personal direct experience promoting content sets (Key Risk Indicators, or KRIs) produced by one of these methods by an ISV targeting operational risk management teams for banking institutions subject to the Basel II accord.

There is no reason why similar technology cannot be used to strip critically important information about compromised login credentials of the specifics required to directly identify the source of the data. In case readers are unfamiliar with the imperative for keeping organization-specific information absolutely private, there are a number of good reasons for this requirement. The two most prominent of these amount to:

  1. Protecting an institution from full revelation of the extent of damages suffered to peers within its industry group and
  2. Protecting an institution from potentially damaging publicity

Certainly other reasons exist. Readers looking to explore these can contact me. I will be happy to discuss the topic further.

But the lack of interest on the part of risk underwriters to “bulk up” on the financial resources they offer does not look to be as sanguine and easily correctable. On April 7, 2015, the Wall Street Journal published an article written by Rachel King titled Cyber Insurance Capacity is ‘Very Small’: AIG CEO. In my opinion Ms. King is on track to publish this piece, which includes excerpts from an interview Ms. King had with Mr. Peter D. Hancock, the CEO of AIG.

One of the quotes Ms. King includes from her conversation with Mr. Hancock should provide the data security ISV community with a very valuable insight: “‘I suspect, over time, the willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures'” Apparently Mr. Hancock, AIG, and, perhaps, a good chunk of the rest of the risk underwriting business community are not yet convinced about our ability to defeat the hackers. Makes sense to me and ought to provide ISVs with a reason to work harder at the hacker problem.

In the meantime, businesses, and the members of the general public affiliated with them, should plan on more pain.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved

26
Feb

Online businesses looks to be on course for a negative event of even greater magnitude — stay tuned

2-Color-Design-Hi-Res-100px-widthIt is one thing to lose something of great value while covered by a comprehensive insurance policy, and quite another to be in the same position, albeit without the coverage.

So adding the insurance policy looks to be a no-brainer, right? Not so fast. According to an article titled Cyber attack risk requires $1bn of insurance cover, companies warned, written by Gina Chon and published on Thursday, January 26, 2015 by the Financial Times, businesses are not only finding a lot of obstacles on their way towards securing the extent of insurance coverage they need to cover online commerce, but (and this is even more worrisome) are also exhibiting a lot of reluctance to even make the effort. If we are looking at a wave of complacency, then perhaps we are looking at a major negative event with enormous financial impact all around in the making.

Back in October 13, 2013 we published a post to this blog titled Online Security Problems are too Pressing for the Public to Continue to Ignore. The position I have always taken on topics like the one Chon treats in her article for the FT is as follows:

  • the “mono protocol” data communications world we have, perhaps inadvertently, created by vigorously pushing further expansion of markup language code at the application layer with Ethernet over TCP/IP as the underlying pipe is very very dangerous. The old world of multiple data protocols running across wide area networks made a lot more sense and was, inherently, safer

But my position, at present, is “so be it”. The internet, for better or worse, as it is presently technically constructed is here to stay. The question ought to be how do we get this “genie back in the bottle” and mitigate the risks associated with doing business online.

Apparently businesses are not willing to take the steps required to accomplish this critically important step. Underwriters seem not to want to handle the risk and the insured are not willing to pay the cost for coverage. This is a potentially dangerous condition. One would hope all of the parties involved will see their way through to a mutually satisfactory conclusion. The sooner the better.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved