Cyber criminals have a variety of ways to break into corporate networks, and do so on a routine basis. In response, businesses put in place firewalls and other mechanisms to offer at least some protection against hacking.
But it appears that businesses’ web sites are particularly vulnerable to attack, and that hackers are using sites intended for legitimate customers to wreak havoc. A hacker can examine the design of a web site to discover ways he can take advantage of valid functions of the site to perform exploitive, if not illegal, actions.
Known as business logic abuse or precision hacking, the practice is widespread partly because web sites have to offer functionality to authentic customers, and partly because it is difficult to prevent without inconveniencing those customers.
Because the concept can be a little fuzzy, let’s look at a real world example of alleged business logic abuse: The BBC reported that in Brazil, a government agency responsible for issuing logging permits in the Amazon rainforest decided to go paperless, putting the permit application process on the web. After the change, hackers employed by logging companies infiltrated the web site and issued fake permits that went above the limits on logging actually set by the Brazilian authorities, according to accusations by the environmental group Greenpeace. So, the hackers allegedly used a legitimate function of the web site to commit malfeasance.
According to a report on business logic abuse released by the Ponemon Institute, 88% of corporate IT experts surveyed said that business logic abuse is as or more important than other security issues. Yet only 31% of respondents agreed or strongly agreed that “my company has sufficient technologies for minimizing business logic abuses.”
Furthermore, survey results seem to indicate that few companies are either monitoring their web sites effectively or dedicating enough financial resources to the problem.
Such an approach from the C-Suite is short sighted, because precision hacking can have a direct affect on the reputation and bottom line of a company. For instance, a hacker may be personally opposed to some practice or policy of a corporation, and seek to harm its brand or reputation through exploiting its web site. Or, the hacker might just be looking for a vulnerable web site through which he can steal money or personally identifiable information.
In the survey, a whopping 90% of respondents said their company had suffered financial loss as a result of precision hacking. A full quarter of them reported at least a 5% revenue loss.
With such large sums on the line, one would think that companies would have protection against this type of loss. Cyber liability coverage does just that – paying claims stemming from business interruption, brand damage, notification costs when customers’ data has been breached, and numerous other causes. But ironically, only about 2 to 3 in 10 firms carry cyber liability insurance.
An introduction to some of the issues surrounding such coverage can be found in an article titled “What is Cyber Insurance?”
IT security and loss prevention experts all concede that it is impossible to fully protect against hackers, and even large corporations routinely fall prey to cyber criminals. So while it makes sense to take steps towards shoring up your company’s digital security, you should also get insurance to protect in the event that your business is successfully breached by a hacker.