Hackers Gonna Hack: Moving Beyond Prevention to Mitigate Cyber Risk

At a recent White House summit, Chinese President Xi Jinping promised that his nation would end its cyber-attacks on American companies. President Barack Obama greeted the pledge with open skepticism, questioning whether Jinping's "words [would be] followed by actions," and promising to watch carefully to see whether Xi makes good on that promise.

Such doubts are well-founded, since cyber-crime has proved enormously lucrative for China. Economists estimate that hackers steal $300 billion in intellectual property from U.S. companies every year. China is responsible for up to 95 percent of those thefts. These hackers -- who are almost certainly employed or supported by the Chinese military -- have perpetrated a series of high-profile attacks. For instance, authorities believe that it was China that broke into the U.S. Office of Personnel Management system and stole sensitive information on more than 21 million Americans, including social security numbers and fingerprints. Given that Chinese hackers have the ability and financial incentive to continue their cyber crime spree, it's clear that American firms can't afford to rely on Jinping's promises. Instead, U.S. companies should secure their data and intellectual property by adopting a comprehensive cyber risk strategy that prevents most intrusions, identifies breaches quickly, and minimizes fallout in the wake of an effective attack.

A few simple measures can lower the likelihood of a successful attack. For example, businesses can bolster their security significantly by implementing dual-factor authentication and monitoring remote access. Reducing the number of privileged accounts, and requiring the use of unique local administrator passwords can also help. And while these basic efforts at cyber-hygiene can go a long way towards securing an environment, it’s also important to use a flexible security architecture, and technology that can identify malware without using signatures.

The grim reality is that even after taking preventative measures, businesses can't reduce their cyber risk to zero. When targeted, a typical IT department may have a difficult time fending off Chinese military hackers who are resourced, motivated and skilled enough to breach the defenses of the U.S. Office of Personnel Management.

So while prevention is important, companies can’t rely on preventative measures alone. To limit the damage of an attack, businesses need to detect compromises as early as possible. Unfortunately, they’re currently ill equipped to do so. It takes an average of 205 days for a company to realize that a breach has occurred, and nearly 70 percent of successful attacks aren't discovered by the victim, but rather by third parties such as law enforcement agencies. And even if a business successfully boots a hacker out of its system within days, the attacker may still have stolen valuable information.

To further mitigate the consequences of a successful cyber attack, businesses can purchase cyber insurance. Just as traditional insurance policies protect against losses resulting from flooding or accidents, cyber liability policies can provide protection against the sometimes devastating financial impact of a cyber attack. And although managing cyber risk with insurance is a relatively new concept, the cyber insurance industry is expected to grow dramatically in the coming years.

Despite promises to the contrary, cyber crime and state-sponsored cyber espionage will continue to threaten companies in the U.S. and around the world. To protect themselves and their customers, businesses must step up their prevention efforts and be prepared to identify and respond to the attacks they can’t prevent. And because even the best security plan can’t be 100% effective when defending against state-sponsored attackers, more companies than ever are looking to reduce their financial exposure with cyber insurance.

If you’re interested in learning more about how to manage risk across your organization, I’ll be speaking at the NetDiligence Cyber Risk & Privacy Liability Forum in Santa Monica, October 6^th and 7^th.  You can also learn more about FireEye’s Cyber Risk partners here, including insurance underwriters, insurance brokers and law firms that provide the expertise and ecosystem necessary to managing this risk.