Lloyd's faces up to threat of e-crime

Lloyd's of London has worked to understand growing cyber threats

The growing trend of organised gangs turning to e-crime has been confirmed by Lloyd’s of London, whose networks have been bombarded by structured and competent attacks.

Over the past 12 months the world’s largest insurance market has found that attacks on its systems have become more professional.

“We have noticed a drop off in what I would term ‘the enthusiastic hacker’, the academics who simply want to break through your firewall,” said Peter Hambling, chief information officer (CIO) at Lloyd’s of London.

“Criminal behaviour has shifted to take advantage of electronic channels, and the people doing this are maturing and getting better at it.

“What this means in terms of aligning my IT effort with my business need is that I have to set aside a chunk of resources to deal with that particular threat, and I have to put more against an organised criminal gang than I do against a hobby-hacker.”

Hambling said that 87 per cent of the external email coming into Lloyd’s systems is either spam or infected with malware. Last month, roughly 1,700 viruses were defeated by the insurer’s defences.

The organisation must also deal with an increasing volume of attacks on its core systems. “We are now defending 60 high-severity penetration attempts on our corporate infrastructure every day,” said Hambling.

“On average, something happens every six minutes that requires manual or automatic intervention to defend against. We are seeing a real escalation in the threat at the door.”

These activities tend to fall into two camps, said Hambling: cyber crime attacks, which are subtle in nature and seek financial gain through the surreptitious extraction of funds or data; or cyber terrorist attacks, which are high-profile and attention-seeking efforts to damage or deny access to systems.

Raising awareness of the risks and threats is a large part of the battle, said Hambling. Terrorist attacks present a particular challenge, as incidents tend to be kept quiet to deny perpetrators the oxygen of publicity.

“It’s the expanding role of the CIO. Ten years ago I wouldn’t be having conversations about terrorism or cyber crime ­ – I’d check for viruses, put up a firewall, and that would be it, job done,” he said.

“Now I have to understand cyber threats and what they mean in business and practical terms so I can counsel my board members to mitigate those risks, while recognising that you cannot do so completely.”

Lloyd’s has recently embarked upon an education programme to help spread best practice processes which help to reduce the threat of electronic crime.

The encryption of laptops and PDAs has been a key area of concern, because of the large damages that can result from the simple act of losing an unprotected device.

Meanwhile, Hambling has been working to boost the security of the internal boundaries at Lloyd’s. Over the past 12 months the CIO has implemented a number of new defence layers built around the organisation’s corporate perimeter, server and desktop boundaries.

An additional focus on automated services has helped Hambling to deal with the growing number of threats.

“We have put a security infrastructure in place to ensure I’m not disturbed every six minutes throughout the night, so I’ll be notified once or twice a day about an event that required extra-unusual intervention, or something that was unexpected,” he said.

“If we see things happening repeatedly we know what they are and we can configure the ecosystem to defend against them. When you see something new and different, that’s what we’re tracking for now.”

Although every business must protect itself against incoming threats from the outside world, applications used voluntarily by in-house staff can also cause problems.

While Lloyd’s has recently used tools such as Google Earth as part of i ts visualisation projects, great care must be taken while using such applications, said Hambling.

“What you may not realise is that behind the scenes, if you do not have sufficient security awareness, you may be putting large reams of data into the public domain,” he said.

“You could also be compromising the security perimeter of your business, or breaching disclosure regulations though what you are or are not reporting. All the safety nets that normally apply can be breached through some of these tools.”