Cyber criminals can throw a sucker punch at businesses, exploiting vulnerabilities that could put them on the ropes.

That threat was underscored recently by a massive data breach at Epsilon Data Management LLC, a large email marketing services company that sends out more than 40 billion emails annually. Epsilon warned its clients that files containing email addresses had been compromised, exposing hundreds of thousands of customers to potential phishing scams. The companies involved included Capital One Financial Corp. and other major financial institutions, Walgreens Co. and other big retailers, and The College Board, which handles student data for more than 5,900 colleges and universities.

As cyber attacks become increasingly sophisticated, security breaches represent an ever-evolving risk, said Laure Guisinger, senior vice president and managing partner of Holmes Murphy & Associates Inc. By using tools such as risk management analysis, insurance coverage and software protection, businesses stand a better chance of defending themselves and their customers’ data from online threats, say Guisinger and other data security experts.

Growing problem

Theft of intellectual property, fraud and damage of corporate networks costs corporations more than $1 trillion per year worldwide, according to a 2008 study conducted by Purdue University and McAfee Inc.

It’s a problem that’s only getting bigger. Last year, data security companies identified more than 8,000 new software vulnerabilities, or 27 percent more than in 2009, with “a widening variety of attack methodoligies popping up each day,” according to IBM Corp.’s annual X-Force Trend and Risk Report. Many high-profile, targeted attacks in 2010 were “launched by highly sophisticated cyber-criminals who were likely well-funded and well aware of hidden vulnerabilities,” the report said.

As cyber threats become more difficult to anticipate and defend against, insurance coverage will play an increasingly important role, Guisinger said.

“While I would like to think the (data security) industry has some pretty good experts on their side to contemplate potential threats, I just don’t think we can be as quick and react as fast as cyber thefts,” she said. One of the newest risks, for which Holmes Murphy brokers coverage, is cyber extortion.

“What (the insurers) have seen there is (hackers) that get in and then actually take down very large online retailers and say, ‘We won’t bring your system back up until you pay so much to this bank account.’ Who would have thought of that?”

Holmes Murphy has also dealt with some “interesting” cyber insurance claims in Central Iowa, Guisinger said, among them a bank whose data system was hacked. In that instance last year, criminals made numerous small electronic withdrawals from a large account during the course of a three-day holiday weekend, siphoning more than $200,000 from the account before the theft was discovered on Tuesday morning.

The first line of defense against cyber theft is to prevent employee negligence, said Spencer Snedecor III, CEO of Palisade Systems Inc., a West Des Moines-based data loss prevention software firm. (For a Closer Look interview with Snedecor, see page 5)

“The number-one problem that every business has is uninformed and careless employees,” Snedecor said. “For instance, you might not think anything of emailing a list of customers’ addresses, or a list of employees’ Social Security numbers home to work on. That’s not good policy.”

Palisade’s software enables businesses to passively monitor network traffic, “so if we see an email with Social Security numbers on it, we can stop it from going out,” he said.

Not a defense

Nearly 30 states now have personal privacy laws on their books, in addition to federal laws such as health-care data privacy rules required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Snedecor noted. “That has raised awareness of needing to know what type of data they’re moving around.” he said. “Ignorance is not a defense; if you have personal information, you are required to take care of that data as it’s traversing your network.”

If executives actually knew how much sensitive data is downloaded off their companies’ networks on a regular basis, “they’d be shell-shocked,” said Snedecor, who served on management teams of start-up data security companies that were acquired by McAfee and Symantec. One of Palisade’s health-care clients found 44 potential breaches of the HIPAA law within the first hour of switching on Palisade’s software, he said.

Palisade, which currently has about 200 clients across the country, should see significant growth in the next few years, particularly as government enforcement becomes more aggressive, he said. For instance, new high-technology provisions under HIPAA expose health-care providers to potential multimillion-dollar fines, “so all of a sudden there’s a new increased sense of urgency.”

No one product, whether it’s software or insurance, can entirely protect a company’s data, Snedecor said.

“Personally, I can’t imagine how one would underwrite a policy against these risks, knowing the magnitude of what these risks can be,” he said. “We are in this society always looking for a silver bullet, but it’s more like (the need for) a balanced diet. You almost have to think of the (data security) products as food group components. For a well-balanced security program, you have to have something in each of those groups.”

Increasing interest

Holmes Murphy specialists provide risk management analysis of exposure a company may have to cyber theft and data loss. The process is “fairly extensive, and it obviously involves many people within the company,” Guisinger said. “It can’t be done with just one person; a lot of people think just the information technology department is involved, but it really needs to come from the top down.”

Cyber risk insurance has two primary coverage components. The first is a provision for first-party risks associated with the interruption of business from a data breach or theft, including the additional cost of notifying customers and the potential cost of monitoring their credit reports. The second component of coverage relates to third-party costs and liability if customers incur losses or damages due to the data breach.

Though premiums will vary depending on the company’s risk, a policy with a $1 million limit and a $25,000 deductible for a nontechnology business with $8 million in revenues would cost about $2,800.

In many cases, the insurance companies that provide the policies will conduct their own forensic analysis to test the security of a client’s system. Though some 97 percent of businesses have electronic firewalls in place, 65 percent also have reported their system being penetrated from the outside, according to a Computer Security Institute study conducted in 2007.

“We look at how much we can do from a risk management perspective to protect and prevent the loss from occurring,” Guisinger said. “But at some point, when you’ve got so many external as well as internal influences, it’s pretty tough to control all of that.”

Though interest in purchasing cyber risk insurance has grown about threefold from about three years ago, “I would guess it’s still a small percentage of our customer base that does purchase the coverage,” she said. “But the interest is so much more than it was even just a couple of years ago.”

The Epsilon data breach is a “visible acknowledgment” of the darker side of the software industry, Snedecor said.

“What I hope it will do is help move the conversation from fascinating cocktail conversation to small businesses asking, ‘What would happen if that happened to me?’”