Mass Breach a Big Concern for Risk Experts



Asked about the possibility of systemic cyber attacks, risk experts cited the possibility of a mass breach in industries like healthcare and finance as a top concern.

If you’re curious about what kinds of bad things may happen in the not distant future, the insurance industry is a good place to go looking for answers. After all: it’s the business of insurance companies to weigh the relative risk of bad things happening, and then help their customers insulate themselves from the consequences of those possible – if unlikely – events.

And squarely in the crystal ball of the insurance industry is the prospect for mass, cyber disruption to the U.S. economy, including the prospect of mass data breaches in critical industries like finance and healthcare.

That’s one of the conclusions of a new report out from insurer AIG, which found that fears of mass data theft affecting industries like financial services, healthcare run high.

Risk and cybersecurity professionals surveyed by AIG cited the possibility for a mass breach of 10 or more hospitals or insurers in the healthcare field as likely within the next 12 months. Professionals rated that scenario 4.1 on a scale of 1 (most likely) to 10 (least likely). Such attacks could follow the discovery of a flaw in common electronic medical records software, the risk officers hypothesized.

A mass data breach affecting companies in the retail and hospitality or a mass data theft targeting financial services firms were deemed only slightly less likely by risk professionals They ranked 4.30 and 4.7 out of 10, respectively.

Survey respondents considered a range of different scenarios that ‘scare them the most.’ They included an attack on the power grid and efforts to manipulate or destroy data (rather than stealing it or a DDoS) and medical, utility, or financial records that are altered so that system users are unable to trust what they see, AIG reported.

The increasing reliance of firms across the economy on shared resources like cloud computing and connected “smart” devices and machinery has increased the systemic risk of cyber attacks to the economy, experts surveyed by AIG agreed. More than 90 percent of respondents to the survey said they believed cyber risk is “systemic” and capable of impacting many companies at the same time.

Recent months have seen evidence of systemic risk on prominent display. October, 2016 denial of service attacks on New Hampshire-based Dyn, a provider of managed domain name system (DNS) services, hobbled access to some of the Internet’s most prominent web sites and took a chunk out of Dyn’s own business. Attacks on electronic health records systems and insurers like Anthem have also spilled information on hundreds of millions of Americans, amounting to something like a public health crisis, with one in 4 Americans reporting that they have had data exposed in a healthcare-related breach. Attacks on common technology platforms and open source technologies like MongoDB have also spread pain across industries.

AIG said that companies need to start looking at the potential for system risk in their own operations. Respondents to the company’s survey said smaller events affecting between 5 and 10 companies were more likely than mass episodes affecting 100 or more firms. Still, “recent incidents, e.g. the MongoDB ransom, Dyn distributed denial-of-service (DDoS), and SWIFT banking attacks highlight the very real threat of larger systemic events,” AIG concluded.

“Our highly-networked economy relies on secure, expedient, and constant data flow and electronic communication. Disruptions to the flow and security of data can have cascading impacts and negatively impact institutions that rely on such data,” AIG concluded.

Companies need to carefully vet vendors and train senior management and other employees on proper security practices like data protection, back up and redundancy planning.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.