Time to wake up to the risks of cyber crime 22 February 2016

Time to wake up to the risks of cyber crime

With interconnectivity on the rise, every company needs to wake up to the risks of cyber crime, and be ready to detect and limit the damage.

With cyber crime already costing the global economy an estimated $445 billion a year, organizations must be ready to detect and limit the damage from cyber attacks.

Cyber-dependency will be one of the most important trends shaping global development over the next 10 years. Yet businesses are only just waking up to the technological risks involved, according to the Global Risks Report 2016 from the World Economic Forum (WEF), developed in collaboration with Zurich Insurance Group and other leading institutions.

Participants at the recent WEF meeting in Davos echoed that sentiment and suggested that data liabilities should feature in corporate accounts. Michael Bodson, President and Chief Executive Officer Depository Trust & Clearing Corporation, was quoted in the Financial Times saying that he was “truly paranoid” about cyber risk and if even a mid-size US bank lost its data through hacking it could cause a major panic in the banking system. While Gavin Patterson, chief executive of telecoms company, BT, said its network is dealing with hundreds of thousands of cyber attacks a day and corporate boards are not keeping up with the rapidly changing and developing threat, according to Management Today.

At the meeting, the United States Attorney General Loretta Lynch stressed the importance of developing a global approach to counter the threat of cyber crime and protect the safety of information networks and online systems. “It is vital that industry and government continue to collaborate on this issue – perhaps more so than in any other area in which we have enforcement priorities,” she said. “Because private industry is so deeply affected by cyber crime, and also private industry has the cutting edge technology that’s useful to both government and industry in not only identifying the threats but also predicting and preventing them.” Lynch also welcomed the WEF’s recommendations for using public-private partnerships to address cyber crime.

Executives in eight countries – the United States, Japan, Germany, Netherlands, Switzerland, Malaysia, Singapore and Estonia – see cyber attack as the greatest global risk to doing business, according to the WEF’s Executive Opinion Survey 2015. Executives in the United Kingdom ranked it second. Zurich believes that executives in any country that has not ranked cyber within the top three risks to doing business, are underestimating the risk in these markets.

Mapping the risk

With increasing interconnectivity between organizations, and every industry now heavily reliant on the internet to source and supply goods and services, every company should expect to be affected by a cyber attack, whether directly or on one of their trading partners.

Mapping the risk of such an attack is not a chore to be left to the IT department, the entire organization should be ready to detect and limit the damage to the business and its customers.

The question is not: ‘Will I be under attack,’ but ‘Will I be able to detect the attack and react to it?

“Cyber-resilience means keeping in mind that a cyber incident will happen one day,” says Jérôme Gossé, Zurich Insurance Group’s head of security and privacy for Europe, the Middle East and Africa. “The question is not: ‘Will I be under attack,’ but ‘Will I be able to detect the attack and react to it?”

“To manage this, you need to have the same approach as to any traditional risk: identify your most valuable assets and establish what you need to protect them from.” And then have a process in place for how to recover from such an event with as little damage to your business as possible.

Cost of cyber crime

With the European Union recently agreeing a new directive requiring key infrastructure providers (including banks, healthcare providers and energy companies) to report details of cyber attacks to the authorities, organizations will increasingly have to be ready to show they have taken all possible steps to prevent and limit the damage from such attacks.

As the Global Risks Report 2016 identifies, companies do not always realize immediately that they have been hacked: “Many attacks and intrusions are not immediately discovered – some are recognized only months and in some cases years later.” Even when an attack comes to light, organizations can be reluctant to publicize it because of the reputational damage and the risk of being seen as weak and attracting further attacks. For example, when Google was hacked in 2010, another 34 Fortune 500 companies also lost intellectual property in the same incident – but only one of them reported the breach, according to research by the Center for Strategic and International Studies and McAfee published in 2014.

Cyber crime costs the global economy an estimated $445 billion a year, according to the McAfee report from the Atlantic Council and Zurich Insurance Group said that if rising cyber risk continues unabated, the resulting missed opportunities could lead to more than $100 trillion in unrealized global growth. That’s a fear shared by business leaders ¬– some 61 per cent of CEOs say they are concerned that cyber threats could negatively impact their corporate growth, according to PricewaterhouseCoopers’ Annual Global CEO Survey.

Risks vary by industry ranging from the theft of private customer information, including banking or healthcare information and trade secrets, to attacks against critical infrastructure.

“Organized criminals are looking for information they can sell on the dark web, and of course online retailers, healthcare and financial services companies hold very valuable information,” says Gossé. “For utilities, energy, and manufacturing companies, the attacker is more likely to be a state or a competitor looking for trade secrets or military information.”

The other main sources of cyber attacks are activists who want to embarrass or halt an organization’s activities, and company insiders, be it employees with a grievance or those looking to use their privileged access to commit fraud.

Interconnectivity threat

The threat is not always direct. Companies share sensitive information with third parties for everyday activities such as processing salaries and sending marketing material to customers. They also provide access to their IT system to external sub-contractors or partners. An attack on an outside system can quickly become a problem throughout the chain.

Cyber dependency will increase, raising the odds of a cyber attack with potential cascading effects across the cyber ecosystem.

The Global Risks Report 2016 identifies the risk of cyber security breaches “cascading” through the broader economy. “Although organizations may recognize the benefit of cyber technologies for their bottom lines, they may not be fully internalizing cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience,” the report says. “As the Internet of Things leads to more connections between people and machines, cyber dependency will increase, raising the odds of a cyber attack with potential cascading effects across the cyber ecosystem.”

Taking the right steps

Organizations must start with a root-and-branch risk assessment to stave off cyber attacks and mitigate the risk of a successful breach to their activities, clients and reputations, says Gossé. “Every actor in every organization should be concerned about this and should work on the risk mapping scenarios,” he says. “Once you’ve done that, there are many steps to take: using technology to detect attacks and protect your IT infrastructure; proper data protection measures including encryption. Employee awareness is also important; you can have great IT security in place but if your employees don’t respect the procedures then you will be in trouble.

“On the interconnectivity issue, it’s really important that the security procedures you have in place are respected and implemented by your subcontractors,” he adds. “It varies by industry, but it’s better to select a limited number of subcontractors and partners who you trust and have verified.”

Putting in place incident response procedures for damage limitation when a breach happens should be part and parcel of risk mapping, says Gossé. These steps should include a plan to notify customers directly and through the press, along with a list of external experts who can give immediate help, such as an IT forensics firm to help contain an incident, legal partners and public relations consultants.

The Global Risks Report 2016 also highlights the importance of cooperation between organizations and law enforcement agencies in tackling cyber attacks. “It is becoming clearer that cybercrime cannot be fought unilaterally,” the report says. “Although businesses can follow standard industry practices or adopt individually tailored ways to deal with cybercrimes, cooperation throughout the value chain (because attacks can be made through supplier systems) and with law enforcement is also helpful.”

The need for collaboration between the private and public sector to tackle cyber risks was also emphasized in the 2015 Atlantic Council/Zurich Insurance Group report. The report encourages business leaders to engage with policymakers, and to take action on cyber security, while facing up to cyber risks within the business.

Key takeaways

·   Cyber attacks are growing in number and magnitude and cost the global economy an estimated $445 billion a year.

·   Interconnectivity means cyber attacks don’t have to be direct – an attack on a supplier or subcontractor can hurt your organization.

·   The EU will require key infrastructure providers to report cyber attacks to the authorities, increasing the pressure to have strong measures in place.

·   Interconnectivity means cyber attacks don’t have to be direct – an attack on a supplier or subcontractor can hurt your organization.

·   Risk mapping is the crucial first step to protecting your organization from cyber threats.