A primer on Cybercrime

The threat of cybercrime is real, and no business is immune. In a competitive environment – and with heightened concerns about the protection of personal information – insurance adjusting firms, like all businesses, need to establish procedures to ensure that information is protected.

Sizing up cybercrime

Cybercrime refers to a criminal offence involving a computer either as the object of the crime, as a tool for committing a material component of the crime, or as a storage device to conceal evidence of a crime. The activity dates back to the early days of organizational computing in the 1950s and 1960s.

While most organizations are now aware of the intrinsic risks related to Internet use, many remain unaware of the potential severity of cybercrime and are unprepared to deal with its increasingly sophisticated forms. Cybercrime methods can include the following:

• Malware – malicious software that attacks, degrades or impedes use of a network, such as viruses, worms, spyware or Trojan horses

• Bot scams, in which viruses are used to take over large numbers of computers

• Denial of service (DoS) attacks, in which a firm’s network or e-commerce system is overwhelmed with meaningless service requests

• Distributed denial of service (DDoS) attacks, in which a DoS attack is launched from multiple intermediaries instead of just one, making it harder to track down and stop

Firewalls, intrusion detection systems, authentication devices, anti-spam software and anti-virus software are among the tools most commonly implemented to protect against cybercrime. But despite these safety measures, vulnerabilities persist. Attacks can result in a range of adverse effects:

• Mischief to systems

• Attacks on critical infrastructure

• Web defacement

• URL hijacking

• Damage to data integrity (copying, altering, deleting, destroying)

• Theft of customer data

• Theft of intellectual property

• Financial fraud

• Extortion

• Corporate espionage.

Cybercriminals come in different forms: some may be “professionals” hired for their skills and services, while others may commit their e-crime for personal gain or retribution. Employees, contractors, cleaning staff and other regular visitors can pose the greatest threat, especially if security policies and implementation are

inadequate. Employees working internally may use work-related access or illicitly retrieved passwords to access the personal and financial data of staff, clients and claimants. From the outside, thieves may attempt to impersonate a customer or creditor; or hackers may tap into an organization’s database. “Social engineering” schemes involve both insiders and outsiders: outsiders use skills of

influence and persuasion to convince company insiders to allow inappropriate access to company systems or provide proprietary information.

Counting the costs

Cybercrime can result in direct financial loss for a firm (through fraudulent activity), indirect financial loss (such as through business interruption and the costs of restoring data and services), and the loss of intellectual property or other forms of competitive advantage.

Perhaps the biggest potential cost of data loss through cybercrime is the damage to business reputation and loss of customer confidence that can result. When an organization fails to protect its information intelligence, clients and other key stakeholders lose their trust in the organization. For example, insurers may be reluctant to use the services of an adjusting firm that that has suffered the loss of claims data in its care.

Loss of data can also result in the firm breaching its obligations under privacy legislation. The Personal Information Protection and Electronic Documents Act (PIPEDA) requires insurers and independent adjusters – like all private-sector businesses – to ensure that personal information is properly stored, managed and safeguarded. Claims files typically contain detailed information on the claimant, and can also contain information on third parties. For example, if an adjuster takes a statement from someone who witnessed a car accident, the witness’s name and contact information will be on file, and the statement itself could include information about other third-party witnesses. Loss of such data can represent a breach of the privacy of these various third parties.

Cracking the case

To protect a firm against cybercrime, business operations should be analyzed to identify areas vulnerable to IT risks. A strong business continuity plan should be developed, and a mix of IT security controls, enterprise-wide security policies and procedures, and appropriate employee behaviours should be implemented. Here are some of the key components.

IT security controls

• Install and maintain anti-virus software, firewalls and anti-spyware tools.

• Establish regular password change protocols and a requirement for strong passwords (mix of uppercase and lowercase letters and numbers).

• Install software patches as soon as possible.

• Implement strong backup routines.

• Log usage and monitor online activities.

• Remove unused software and unused user accounts; disable a former employee’s access to the network as soon as possible.

• Conduct regular diagnostic testing and monitoring.

• Access reputable outside help or technical expertise when required.

Security policies and procedures

• Implement reference checks of employees.

• Deal with disruptive behaviour and threatening comments from internal and external sources.

• Limit access to financial and other confidential information.

• Limit or restrict use of wireless hot spots, chat rooms, blogs and instant messaging.

• Prohibit downloads, including music, movies and software.

• Document and implement all policies and procedures.

• Implement a “user technology agreement,” to be signed by all staff, that specifies appropriate and inappropriate use of company computer technology and how violations will be handled.

Employee behaviours

• All staff should safeguard their passwords.

• Users should lock their computers when they are away from their desk.

• All staff should be trained in security awareness, including how to recognize and thwart social engineering attempts.

• Staff should control and monitor the physical business environment so that company computers are not physically attacked or damaged by disgruntled employees or by outsiders visiting the premises.

• As the digital integration of commercial and personal information and activities increases, so does the potential impact of computer-related crime for all businesses, including adjusting firms. Reducing cybercrime exposures involves implementing the right tools and processes plus constantly monitoring and testing the firm’s networks and systems. _

This article is based on excerpts from ADVANTAGE Monthly, a series of topical papers on emerging trends and issues provided to members of the CIP Society. The Chartered Insurance Professionals’ (CIP) Society is the professional organization representing more than 15,000 graduates of the Insurance Institute’s Fellow Chartered Insurance Professional (FCIP) and Chartered Insurance Professional (CIP) programs.

Tools of Cybercrime 

• Virus: Piece of code that infects or corrupts files on a targeted computer by attaching itself to an existing program

• Worm: Self-replicating program that uses a network to send cop
ies of itself to other nodes on the network, consuming bandwidth

• Spyware: Software that collects information about users without their informed consent

• Trojan horse: A legitimate-looking program that performs hidden and unauthorized functions; used to take control of a victim’s system