April and May were significant months for malware growth and increased spam and phishing attacks, as the volume of known malware swelled by more than a factor of ten, growing by 927.4 percent from April to May, according to German email security provider Eleven’s E-Mail Security Report for June 2012. The volume of spam emails was also back on the rise, while virus outbreaks more than tripled, up by 251.6 percent, according to the report. Continue reading Massive growth of Malware and Spam in May
April in figures
- The percentage of spam in email traffic was up 2.2 percentage points from March and averaged 77.2%.
- The percentage of phishing emails remained unchanged from March and amounted to 0.01%.
- In April, malicious files were found in 2.8% of all emails — the same amount as in the previous month.
- Over 20% of phishing attacks in April targeted Facebook users. Continue reading Spam Report: April 2012
According to a recent survey of risk and financial managers, only 28 percent of North American companies have cyberinsurance in place — and many of their policies have low payout caps.
Specifically, 43 percent of the policies surveyed were for $1 million to $5 million in coverage — not all that much, given that 77 percent of the responding companies had $500 million or more in annual revenues. Also, the Ponemon Institute has reported that the median cost of cybercrime to an organization is $5.5 million.
The whole point of insurance is to cover large losses — losses too big to be covered out-of-pocket, losses which could be crippling to a company.
So why aren’t companies purchasing adequate coverage for pontential cyber losses?
Two thirds of respondents to the Towers Watson survey said that their security was good enough — that their technology and risk controls were enough, or that there wasn’t significant data in their organizations that could be exposed.
Do companies really think that they can protect themselves against data loss? That’s like not buying fire insurance because you have sprinklers installed. Yes, sprinklers are good to have — in fact, your insurance company is likely to insist on them. But they can’t guarantee that you’ll never have a fire.
I have a really hard time understanding why anyone would think their enterprise doesn’t need cyberinsurance. Do they really think they won’t get hacked? That they won’t lose any data accidentally? That every single employee is pure of heart and deed?
Indeed, the 2012 PwC Global State of Information Security Survey shows that security capabilities have actually been dropping over the past three years. Only 29 percent of companies have an accurate inventory of where their data is stored, for example, down from 39 percent in 2009. And only 27 percent of North American companies conduct due diligence of third parties handling personal data — down from 45 percent in 2009.
According to the Verizon 2012 Data Breach Investigations Report released last month, 2011 saw 174 million records compromised in 855 separate incidents. And a Ponemon survey published last year showed that 90 percent of organizations had at least one breach over the previous 12 months.
So why the big disconnect about cyberinsurance?
One reason is that the folks responsible for buying cyberinsurance don’t work closely enough with the folks securing the enterprise. The IT department thinks that the finance department has coverage in place. The finance department doesn’t understand the technology and is counting on IT to keep the company safe. And some executives might think their existing policies cover data breaches when they don’t.
Nobody wants to stand up and say, “Our security system has holes in it that we can’t plug. We need to buy insurance.”
The perception that there’s insurance in place is dangerous when there’s no actual coverage. People can start slacking off if they think losses are covered. Insurance companies normally compensate for this by insisting on audits — they go in and check that the sprinklers are working and that smoke detectors are in place and that security cameras are installed.
In the cybersecurity space, this translates to network, data, and policy audits. Does the customer use the latest security technology? Does the customer have privacy policies in place? Do they restrict employee access to file-sharing networks? Do they scan outgoing communications to ensure that customer data isn’t being transmitted out of the company? Are privacy policies in place and are there procedures to ensure compliance?
By carrying out security audits and implementing privacy policies, companies don’t just lower their insurance premiums. They also lower the possible expenses, bad publicity, and loss of reputation that could result from a major data breach.
That’s got to be worth more than saving a few bucks on insurance.
As more enterprises gain comfort with private clouds, a logical next step is to consider monetizing these assets.
The situation most often comes up when an enterprise has a well developed application and a portal to it; there is excess capacity; and there are other organizations that need the app and are willing to pay for it. The provider then can extend a private cloud as a software-as-a-service (SaaS) offering to other companies for a fee. Continue reading Ready to Sell Your Cloud? Answer These Questions First