Technical and human weaknesses make easy work for data thieves

Sep 12, 2018.

Data theft is a threat for small and medium-sized companies in particular, as many do not take cyber security as seriously as they should. Jean-Laurent Guinchard and Peter Fröstl of Europ Assistance explain how to shore up security gaps and what benefits the cyber protection for private individual* offered by Generali and Europ Assistance can bring. 

Does it just seem like it, or is cyber crime actually on the rise?

Peter Fröstl: Cyber crime is definitely increasing. We’re also hearing about it more often as Internet users gradually become more aware of the problem. Cyber crime affects practically everyone, companies as well as private individuals. The difference is that private individuals are usually random victims, whereas the attacks on companies are usually targeted.


How do data thieves operate?

Peter Fröstl: They send out e-mails with attachments to private individuals and hope that someone opens the attachment, which contains a trojan – a type of malware. With companies, the criminals gain access through unsecured IT infrastructure, for example. Many companies have no firewall or alarm system for hacker attacks. On average, it typically takes 150 to 200 days before a company notices that data have been stolen. The risk for the perpetrator is therefore low. Besides technical weaknesses, hackers and criminals also take advantage of human weaknesses.


What weaknesses do you mean?

Peter Fröstl: A simple example: An employee loses his company mobile phone, on which a large amount of relevant data is stored. This happens a lot more often than you’d think. The mobile phone is then sold to criminals who use the data. Or, employees open e-mail attachments that they shouldn’t and thereby infect the company computer with a trojan or virus.


Can you give us some other examples?

Peter Fröstl: Social engineering is up and coming – this is when perpetrators purposely seek contact with a company’s employees. They call and pretend to be a supervisor or a client in difficulty who just needs to quickly know their password. Sometimes you can even hear a baby crying in the background, so that the employee on the other end of the line understands how much stress the caller is supposedly under. The employee thus wants to be helpful and releases the information. Many employees have never heard about this problem, but social engineering is happening with increasing frequency and the methods used are becoming ever more clever. Companies need to inform their employees, so they can develop an awareness of these risks.


What are the perpetrators trying to achieve when they attack companies?

Peter Fröstl: Espionage and attacks on competitors are seldom – the percentage they represent is only in the single digits. Perpetrators want one thing above all – data. They steal data in order to blackmail their victims or to sell customer, health or credit card information in the dark net. They have to steal a lot of data if they want to earn well from it – a complete set of data is worth less than one Swiss franc in the dark net. The long-term goal of perpetrators is to get bitcoins, a cryptocurrency that can be converted to real currency, from which a lot of money can be made.


Who are these perpetrators? Are they organised groups or individuals acting on their own?

Peter Fröstl: They are very often individuals acting alone. Cyber criminals do not have close relationships with each other, because they do not trust each other and they often don’t even know each other. Plus, they are very spread out geographically.  Instances of organised crime can typically be traced back to Russia and Asia.


How can companies protect themselves effectively against data theft?

Peter Fröstl: There are five measures that can be taken that block about 85 per cent of the attacks. But, practically no small or medium-sized companies apply these measures – either due to a misplaced sense that they are too inconvenient or because they simply don’t know about them. First: Operating systems have to always be kept up to date. Second: Security updates have to be carried out regularly for all data applications and programs. Third: Users must not be given administrator rights. The fewer employees that have administrator rights, the less can happen. Fourth: The only applications allowed should be those that the employees actually need – all other applications should be prohibited. In reality, companies tend to allow a lot and forbid very little. It needs to be exactly the other way around. It’s a restriction, but it’s a very effective one. Fifth: Before taking a system live, a penetration test needs to be performed. Nowadays there are many service providers around that offer such checks.


What should a company do if it suffers damages?

Peter Fröstl: The data loss should be reported to the authorities, and customers should be informed. It is imperative for the company to do this. However, smaller companies in particular frequently try to sweep the incident under the carpet for fear of tarnishing their reputation. This is very unfair towards customers, because if they don’t know anything about the data leak they don’t have the opportunity to take measures to protect themselves – for instance, by having their credit cards blocked. If a customer later finds out that someone has misused his credit card and traces the problem back to the company from which the data was stolen, the company will have much bigger problems if they have not complied with their duty of information.


Generali and Europ Assistance provide cyber insurance. What is that exactly, and whom is it intended for?

Jean-Laurent Guinchard: These insurance products have not been on the market very long yet. They were developed based on the realisation that customers today not only have a “real” identity, but also a cyber identity. Many things we do today have slowly migrated into the Internet in recent years, and electronic devices are omnipresent in the average household. With this transformation, new risks and needs have evolved. We want to support our customers in this area, just like we do in “real” life.



What sort of benefits do Generali and Europ Assistance offer?

Jean-Laurent Guinchard: The new cyber insurance from Generali provides customers with comprehensive insurance coverage; for example, it covers the costs of restoring data and the losses incurred through misuse of personal access details by unauthorised third parties. Besides this insurance coverage, Generali also offers IT Assistance, which is provided by the experts at Europ Assistance. IT Assistance is a service available to Generali customers 24 hours a day all year round. Customers can contact our specialists for help in solving technical and cyber problems. Our experts can also help identify security gaps and remove malware.

If damage has already occurred, our IT experts first examine what sort of technical steps are required. They analyse exactly how the damage occurred and how it can be quantified in terms of financial loss. In the virtual world this often not an easy thing to do. If a financial loss has occurred, Generali will cover the costs.


*Generali currently does not offer a cyber insurance for corporate clients.


About our experts:

Peter Fröstl earned a bachelor’s degree and went on to acquire broad experience in the IT field, including at Telekom Austria and the IT services of the Austrian social insurance system. Since 2010, he has worked for Europ Assistance Austria, and from 2013 was team leader in the medical and technical area. Since 2016, he has been in charge of developing the “IT Assistance” department for Austria, Germany and Switzerland for private and business customers (SME). He is a specialist in encryption techniques and electronic signatures, as well as in knowledge management and knowledge databases.


Jean-Laurent Guinchard has 15 years of experience working in the fields of insurance and assistance. Since 2014, he has worked for Europ Assistance Switzerland, where he is responsible for insurance and product management in the home, travel and automobile business lines.