Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:09 PM
Connect Directly

Cyber Attacks Increasingly Focused at Individual Users: Ernst & Young

The "human being is the perimeter," E&Y experts say, as attackers aim to take advantage of individual users' behavior to gain footholds in corporate networks.

Seventy-two percent of corporate information technology executives see risk increasing due to more external cyber threats, but only 49% of them feel the information security function at their company is adequate, Ernst & Young (E&Y, New York) found in its 2011 Global Information Security Survey.

E&Y surveyed 1,700 total organizations, including 143 insurers, for the study, which it presented at a media luncheon Monday. Jose Granado, the company's principal and America's Practice Leader for information security services, spoke early an often about an emerging threat to corporate information systems called the "advanced persistent threat," which are sometimes state-sponsored and focused on single targets and are meant to collect information for a long period of time.

"The human being is the perimeter today," Granado says. "The attacks are tarketed towards specific people and their behavior, not a system."

To combat these threats, which mainly target intellectual property, companies should tell their information security workers to identify strange activity and behavior within a network. If certain operations are occurring at off times, for example, that could indicate a threat is in place.

"It's a combination of people and technology, and having a policy in place," Granado says. "You want to use technology that isn't like antivirus — pattern-based matching is not going to work."

Often, companies are unaware that there has been a breach of this type, adds Chip Tsantes, a principal in E&Y's financial services office who focuses on cyber risk Too often, he says, regulators are the ones delivering the bad news.

"The regulators used to visit — but now they've moved in," he says. "They're seeing some of the things they used to think are OK really aren't.

"There's two types of companies: those that take a check-box approach and those who want good security," Tsantes adds. "It's about allocating resources."

However, more CEOs are seeing that they "really run two businesses," Granado contends, their core business and an information business.

"Executives know they're ultimately responsible for cyber risk," he says. "I have seen the more advanced global organizations taking this seriously. There's a brand play here — corporations should invest as much in protecting their brand as they do growing it."

New Channels, New Challenges

Some of today's buzziest technologies represent major security risks for institutions, Granado and Tsantes say. Mobile and tablets, for example, mean that there are more entry points for hackers to target. And with the consumerization of IT, even if companies don't issue tablets, there's a greater expectation that workers' personal devices will be granted full access to corporate information systems so they can use them for their job. Teaching them good information security practices for both home and office will lead to better habits, Tsantes says.

"You should just assume every device someone has is compromised and adjust for that," he laments. "But if you can educate someone to be the CISO at home, that can carry over. Techniques around guarding privacy can be brought to work."

Cloud computing also offers a potential security risk — but nearly half of the E&Y survey respondents haven't implemented any new controls to mitigate those risks.

[ Check out our feature , on four questions every insurer should ask about the cloud.]

It's not just specific cloud vendors whose security acumen should be vetted, Tsantes says. Almost every company has "at least one vendor who's put them in the cloud."

Ernst & Young "is seeing these hackers exploit the vendor channel" for the advanced persistent threats, he adds. "People have had to ramp up vendor risk management, focusing not just on contracts but on transmission protection as well."

Similarly, companies who are looking to exploit social media for marketing purposes need to treat these sites as vendors themselves and keep abreast of the terms and conditions of those sites. It's important to understand the ultimate fate of data transmitted over those networks.

The company recommends using a separate network, isolated from production data for social, to prevent leaks.

Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio

Register for Insurance & Technology Newsletters