Why Do Hackers Hack?

It is important to understand the mentality of the hacker – the motivation. Why do they hack? To a hacker, breaking into someone’s computer is a fun challenge. They may not specifically intend to do damage to the computer. The thrill of gaining access is often enough. Hackers try to show off their skills to the world by hacking into computers, or as we are more often seeing: retaliation against another user or agency.

Many insurance companies either employ an in-house team or a PR consultant to deal with the press and protect their reputation. Why? It is because their reputation is important to them. That’s why I was uneasy when I saw the Government’s announcement to bring together insurance to counteract the cyber threat – many hackers will have seen that as a challenge, a throwing down of the gauntlet.

To prove our point, it was revealed that Sony Pictures Entertainment holds $60 million in Cyber insurance brokered by Marsh, according to documents leaked by the hacktivists - “Guardians of Peace” - claiming responsibility for the attack on the movie studio.

It was reported that in May 2014 the movie studio turned to Marsh, which placed $60 million coverage with Brit Insurance, Liberty International Underwriters, Beazley and other carriers. The policy includes security and privacy liability coverage, as well as event management, network interruption, cyber extortion and regulatory action.

The fact that the insurance policy details were leaked shows that Marsh and the insurance carriers are considered fair game by the hackers and that these companies are now, effectively targets.

Recognising and understanding the hacking threat is vital but it is people internally and not simple technology (or hackers necessarily), which decides whether IT infrastructure is secure, organised and compliant – or not. Whether large or small, it is internal processes and people - annoyed ex-colleagues, un-trained colleagues or even colleagues who believe they are being efficient creating “useful” UAM groups - that are the biggest security risk for businesses and their risk managers.

Governance, risk and compliance is the place to start for businesses and the insurance companies that manage their risks. Technical security people are important assets but there is no point assessing your overall network security if you don’t have simple risk management activities in place. Everything in security and risk and compliance is common sense but common sense can be diverse, complex, layered and fallible.

Cyber risk is an opportunity as well as a threat to the insurance market. Insurers are well placed to advise consumers and deploy their capital to mitigate the risks. Before they do so, however, they would be well advised to get their own house in order first.