HOME
NEWS

When tech is the target: cyber risks for tech companies


By VARINDIA - 2019-05-31
When tech is the target: cyber risks for tech companies

In a world in which cyber attacks are increasing in frequency and severity, companies rely heavily on technology to secure their data and systems. But what if your company is a tech company? What are the risks if your business model is to create business applications, cloud services, or even cyber security products?

 

Cyber attacks are increasingly targeting the technology sector. In February of 2019, Deputy Attorney General Rod Rosenstein announced the criminal indictment of two hackers associated with the Chinese government. The hackers were charged with conspiracy to commit computer intrusions against dozens of global and US-based companies, targeting managed service providers (MSP). Because MSPs store and manage data and other intellectual property for companies, the threat extended to potential loss of proprietary data from all sectors of business, and possibly governments, across the globe.

 

Cloud storage providers, Cloud computing services, Developers of cyber security software, or a file-sharing solution provider, are often the targets of cyber attacks. The damage such attacks can inflict go far beyond the cost of recovering compromised data.

 

How Vulnerable?

 

In large part, technology companies are at the forefront in the development of cybersecurity risks from the development of products and services to combat these risks to focusing daily on the trends and emerging risks.

 

In spite of this, tech companies lay vulnerable to cyberattack. In 2014, 3 billion Yahoo! users experienced account breaches. Over 500 million users had their names, emails, dates of birth, and phone numbers compromised in the attack. Unfortunately, it was the second large breach in a year for the company – in 2013, another 3 billion accounts had been compromised by another group of hackers. In March, the Asus’ software update system was hacked and used to distribute malware to about 1 million Windows computers. According to cybersecurity firm Kaspersky Lab, the malware was disguised as a “critical” software update, , distributed from Asus’ servers, and signed using a real Asus certificate that made it appear to be valid. Recently, after security researchers uncovered vulnerabilities that could allow hackers to take over the devices, Verizon sent out an update for millions of its routers. Since routers serve as the central point of any individual’s online activities, a hacked router could lead to significant abuse. For example, in 2018, Russian hackers infected more than 500,000 routers in 54 countries with malware that could cut off internet access and steal login credentials.

 

The complexity of a tech company’s risks depends on the type of products and services the company provides. Some companies may be required to store large amounts of sensitive data, while other companies need only maintain smaller amounts of information on their customers. Still, any stored data is a vulnerability, and any security incident can result in negative press, a potential stock devaluation and an overall lack of trust in the company holding or servicing your data.

 

Such was the case for a large online textbook rental and tutorial company when its systems were breached by hackers in September 2018. Hackers walked away with the names, emails, addresses, and passwords of the company’s 40 million registered users. Stock prices plunged, and the company had to shift its focus to securing their customers’ data and recovering from the impact to its reputation, not to mention business interruption losses.

 

Because the technology industry is comprised of so many different business operations and product types, exposures can vary wildly. The good news is that as attacks occur, tech companies are tightening controls. For example, there is a conscious effort to design products with security built-in not bolted on. Also, companies are moving to next generation firewalls with built in security and threat detection software that utilizes artificial intelligence.

 

Still, that just means hackers find new ways into a company’s network, develop new attack methods, and the success of those methods is evident in how such attacks trend. Five years ago, we saw a trend of hackers targeting retail because Point of Sale systems provided easy access. But as retailers boosted their security, hackers looked elsewhere. Currently, ransomware attacks are the ever-increasing method of hacking. With each new layer of security thwarting bad actors comes another successful way that hackers are able to gain access.

 

The weak link

 

As the hackers’ methods change, technology companies are adjusting their approach to cyber security. Established companies in particular are handling much of the innovation in cyber protection and prevention. Even tech startup companies with limited cybersecurity budgets, have been diligent about building their business operations around solid cyber security processes.

 

While some threats may emanate from inside the company, from employees’ actions, a major vulnerability lies with the vendor. This threat is very real for the tech startups that may not have the internal staff or the funding to handle its entire operations in-house. They turn to outsourcing portions of their operations. Yet many tech startup companies are missing a critical step – vetting the vendor’s cyber security posture.

 

For example, an alternative asset management firm that allows investors to buy repackaged home loans. The company gathers and stores investors’ personal and financial data, as well as financial data provided by banks and financial institutions. However, the company lacked the ability to easily access and search loan information. They contracted with a tech startup that had the technology to filter the data.

 

The vendor, however, was a two person start up with limited resources and security controls in place. When the breach occurred, the vendor revealed to the tech company that it had no cyber coverage. Although they were responsible for the data, the company hiring them owned the data, which meant they too were liable.

 

It is not just smaller technology vendors who can put your company at risk. On April 15th, 2019 Brian Krebs reported that the $8B IT outsourcing and consulting firm Wipro had its own systems hacked and were being used to launch attacks against some of the company’s customers. Wipro’s customers include firms across numerous industries including multiple Fortune 500 companies. It is important to remember that just because you are hiring a large IT vendor doesn’t mean they will have the best security, and just because you are outsourcing IT professionals it does not mean they are professionals in information security.

 

Solutions


From an underwriting perspective, it is imperative for your tech company to know how your vendors are addressing cyber risks. That allows underwriters to put proper coverage in place. Likewise, your company should be examining more closely the controls each of your vendors are using.

 

Your company should be reviewing its own vetting processes:

 

Who is the vendor?

What is our process for selecting a vendor? What does our due diligence look like?

How often have we reevaluated our vendor selection process? How often are we reviewing our vendors?

Are we reviewing contracts to determine liability prior to hiring vendors?

 

In addition, tech companies should be addressing data exposure liabilities by working with their customers and their internal staff to put proper controls in place. In a number of cases, system breaches are coming from the customer side, and savvy tech companies are putting controls in place to minimize breach damage. Some of those controls include:

 

Segmenting data - each customer account is stored separate from other customer accounts;

Requiring at least two-factor authentication;

Requiring password changes regularly;

Educating customers on how to keep their systems and information secure; and

Regularly reviewing the company’s exposure picture and amending or addressing any changes to the risk portfolio.

 

Staying ahead of bad actors

 

Cyber risks are a continuously evolving exposure that all companies face. For tech companies, their role in keeping both their operations and the operations of their customers secure is paramount to their business success.

 

Security Incidents and data breaches provide a lesson on what hackers are targeting, but also on how to protect systems and data from attacks. Technology companies lead the way in helping all businesses address the very real threat of cyberattack.

 

As cyberattacks increase in frequency and severity, tech companies must continue to innovate and lead the way in cyber security. As the first line of defense for all businesses, tech companies have a duty to get ahead of cyber risk and make sure their own security is the most comprehensive available.

 

Jonah Papesh
Senior Underwriter, Cyber & Technology, AXA XL

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA