E-commerce was the most targeted industry for computer fraud
E-commerce holds the potential for $13 billion this holiday season, but if a cyber attack were to shut down a retail Web site during the holiday shopping season, millions in sales could be lost.
E-commerce was the single-most targeted industry by cyber attacks this year, with nearly 16 percent of attacks from January through June – a 400-percentage increase from the 4 percent reported during the previous six months, data from the information security company Symantec shows in a September Internet Security Threat report.
Technical security measures like passwords, anti-virus software and intrusion detection systems cannot entirely protect organizations from financial loss, so companies are going to their insurance companies.
“You can’t perfectly protect your home from fire, but you can make it less flammable. There is still a risk, and you either live with it or get insurance. It’s the same with cyber threats. Cyber risk insurance is a perfectly viable option, depending on the risk,” said Robert Richardson, editorial director for the Computer Security Institute (CSI).
Cyber risk insurance, or network intrusion insurance, addresses losses that aren’t normally covered in business insurance policies, which cover loss due to damage to computers but not the lost data, said Peter Foster, senior vice president and information risk advisor of Marsh Inc., a risk and insurance firm in Boston.
Cyber risk insurance covers costs of customers’ information being stolen from Web sites, business interruptions from network outages and computer failures, viruses, worms, Trojan horses and cyber attacks, and it protects copyrights, trademarks and intellectual property.
Only 28 percent of businesses report buying cyber risk insurance plans, partly because the plans are fairly new, a CSI/FBI survey released this year shows.
The overall financial losses totaled from 494 people who responded to the 2004 Computer Crime and Security Survey was $141,496,560, suggesting the threat of cyber attack is real.
“It is reasonable to assume there are people out there looking for weak Web sites and if a system is unprotected it will come under attack 100 percent of the time,” Richardson said.
There isn’t much data on which to base cyber security insurance rates, so pricing can be tricky, but the cost of e-business insurance has been declining and underwriters now are willing to provide coverage tailored to the specific e-business risks of individual companies, Marsh reports.
The cost of a policy depends on past claims, the amount of Internet revenue earned by a company, and the amount of reliance on a network.
“Even for big retailers, only about 2 percent of sales come from the Internet, but that still equates to hundreds of thousands or millions of customers,” said Foster.
Plans can range from $5,000 a year for a small business to $50,000 for large corporations.
Before adding a cyber risk insurance policy to the repertoire of protections, companies should get a risk assessment from a computer security consultant – like a certified information systems security professional – and weigh all security options, Richardson said.
The two broad areas where security can be tightened are through technology and employees, Richardson said.
“Employees often breach security inadvertently by giving away information, like internal codes,” he said. “Small businesses will find there are a number of things they can do to increase security.”
