Cyber risk exposure is under-appreciated by corporations and SME’s
There has been widespread publicity on the disruption caused by cyber attacks on Sony, Walmart and the activities of professional hackers. What is not well known is that statistics show that 20% of Australian businesses experienced some form of cyber crime in 2012 and astonishingly, 40% of all attacks were directed at SME’s. Losses reported include the hacking of a travel agent’s computer system resulting in over 250,000 client credit card and passport details being compromised. A similar attack on a retailer’s website resulted in hackers gaining access to customers’ personal information.
“Cyber risk” means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. Cyber risk is now getting the attention of boards of directors of senior leadership within the C-suite (CEO, CFO, CRO etc.) and is being led from that front. As a recent example, a cyber security company is warning that criminals have been accessing confidential data on mergers and acquisitions for over a year.
How technology is changing the risk equation
Cyber security commentators see the proliferation of technology, the easy access to technology, social media and the speed of communications giving increased power to those groups that historically had smaller voices.
Whether we’re looking at Islamic State being able to use technology and social media to increase its voice for recruitment, messaging and marketing, or whether looking at ways criminals are able to use technology from the cybercrime front to steal personal data or credit cards, technology is really aiding what historically would have been lower threats and weaker groups.
Cyber risk and risk management
The risks and opportunities which digital technologies, devices and media bring us are apparent. However, cyber risk is not a matter for just the IT team, although they play a frontline role. An organisation’s risk management function needs a thorough understanding of the constantly changing risks as well as the practical tools and techniques available to address them. And it is not only the major corporations which are potentially vulnerable - all types and sizes of organisations are at risk.
As high-profile data breaches are announced one after another, consumers may have stopped believing companies take protecting their information seriously. It’s time for companies, especially SME’s, to start looking ahead at the next generation of threats and to step up their game to better protect consumer data. The threat landscape is continuously evolving. If you don’t already have threat intelligence and response plans ready for implementation this year, now is the time.
The number and sophistication of cyber threats will continue to increase exponentially. Fuelled by both geopolitics and economic incentives, international (and often state-sponsored) criminal organisations will escalate their development of offensive cyber capabilities.
The advent of Big Data is also changing the rules around privacy protection. As more incidents of privacy violations occur, the legal system tries to keep up by enforcing new laws to plug the security holes that Big Data finds.
What steps can an organisation take to reduce its cyber risk exposure?
Risk to all forms of information should be treated in the same way as other business or financial risk, especially where threats or vulnerabilities are constantly changing.
Ultimate security for cyber security rests at Board level with correct governance, management and culture throughout the business. The Board should seek assurance that key information risks are both assessed and prioritised and that there is constant monitoring where threats and vulnerabilities are constantly changing.
Here are some leading questions which must be asked;
- What information must be protected?
- What are the risks to your information and how much risk are you willing to accept?
- What security measures, policies and processes do you need to implement?
- Are your current security measures effective?
- What would effects on the business be if one of your risks became a reality?
- How do you ensure that you have the best understanding of cyber threats to your business?
A major cyber attack may seem like something that happens to someone else – it’s not! Although it may not hit the headlines, cyber attacks are increasing in prevalence and scale. The impact of not recognising and preempting cyber risks can be long term so it’s best to take a proactive approach to this growing and formidable business risk.
Eddy Brett is a leading risk advisor with Austral Risk Services.
Austral Risk Services – Risk Advisors & Insurance Brokers
Please note some of the examples cited in this article are based on the experiences of Western Australian businesses.