It appears that the the evidence is that the rate of successful cyber-hacks and data breaches is increasing. A recent global industry survey ranks cyber incidents as the third highest Global Business Risks for 2016. This has jumped by 17% on the previous year.
As our organisations (and society) expands the use of digital technologies, so does our dependency on these technologies. Problem is, so do the opportunities for adverse cyber risk incidents. This is unlikely to be a linear relationship, however
Cyber risk cannot not be ignored. More importantly, it takes a whole of business response to minimise the cyber-threat to your organisation.
A wide range of authoritative assessments have been published that deal with the spectrum of adverse cyber incidents. These include:
- Verizon’s 2016 Data Breach Investigations Report,
- Ponemon’s 2016 Cost of Data Breach study,
- The 2015 US Association of Corporate Counsel’s State of Cyber Security report,
- The Defender’s Dilemma – RAND Corporation’s 2015
- The SANS 2016 State of ICS Security Survey
- The Australian Federal Government’s Cyber Security Centre (ACSC)
- Norse Corporation or Kaspersky’s realtime cyber-map representation of cyber threat events
The bottom line is that cyber-risk should be a core, and pervasive element of any organisation’s digital strategy. This should not be left to your technology vendor or IT department alone to take care of. Period.
Where are you on the digital cyber risk scale?
One of the key challenges facing organisations heading down the digitisation path, is balancing the very real risks of cyber loss and consequential damage with the business benefits that would arise from digitisation.
Getting this risk-reward balance right is no trivial exercise for a wide range of reasons, such as :
- Increasing rates of technological-led innovation and change. Protecting your organisation against an innovative, volatile and unknown series of threats is the real challenge. For example, shadow IT and the Internet of Things (IoT) opens up new cyber-risk possibilities.
- Low digital literacy of company boards and senior executives, contributing to outmoded IT leadership expectations and reinforcing legacy IT departmental strategies and structures.
- Siloed internal organisational structures where cross-functional collaboration inhibits intra-organisational agility and adaptability. Is Cyber-security ‘not my job’?
- Lack of C-suite leadership clarity and coherence over how, specifically, digital technologies contributes to the organisation’s intrinsic value. If the value of IT and digital assets (including business systems, information, processes, mobile devices, apps, cloud services) is not known, how can this be valued?
Question is: Are your Information Security measures delegated to your anti-virus vendor and IT department to take care of? If so, the time to reconsider this approach is now.
Entering the danger zone: Digital to Physical cyber risk.
Moving beyond the privacy issue for the moment, cyber-crime and hacking are now having their presence felt in the real world.
Rather than the seemingly daily theft of company secrets, credit card details or personally identifiable information (PII), (which for the most part do not endanger lives or directly destroy physical assets), the line is crossed when it comes to physical-cyber risk. This is where things can get very serious.
Documented examples of physical-cyber attacks include:
- The 2014 case of a German ironworks being damaged by a cyber-attack.
- Stuxnet – a tiny computer worm that infected the industrial control systems of an Iranian uranium-enrichment plant (2010), resulting in their destruction.
- The early case (2000) of Maroochy Water Services on Queensland’s Sunshine Coast (Australia) where a disgruntled ex-employee used a laptop computer and a radio transmitter to remotely take control of a sewage pumping station to release 800,000 litres of raw sewage into local rivers and parks.
- A Jeep 4×4 was ethically hacked and controlled remotely wirelessly, overriding the driver’s ability to control the vehicle.
- A security expert successfully hacked into the flight control systems via the in-flight entertainment system on Boeing 737s, 757s and an Airbus A-320 aircraft while airborne. On one instance he took control of the aircraft’s thrust management computer, which allowed him to make the plane climb on his command.
If your organisation deals with physical assets, has physical processes that could cause physical damage, the physical-cyber risks should not be ignored.
When all else fails: Transferring your cyber-risk?
Cyber-risk insurance is now big business. For the 24 month period 2012 to 2014, the estimated global expenditure on cyber insurance premiums trebled from US$850 million to an US$2.5 billion.
While cyber insurance is good news for the insurance industry, be aware that the maturity of cyber insurance industry is low compared to other insurance products that have been around for a long time.
A fundamental challenge facing cyber insurance policy holders remains the clarity of definition over what exactly is being insured.
On the other side of the fence, the challenge facing insurers is the lack of precedence and data for underwriting defined risks. Clearly understanding the risks being taken on is also a challenge, especially when the nature of the risks are impacted by rapid changes in technology – something that is difficult to predict.
The key message is to meticulously read, understand and test any hypotheses, definitions and contributory negligence conditions in your cyber insurance policy.
The buck stops here.
At the end of the day, company executives should acknowledge that fact that the cyber-risk genie is out of the bottle, never to be returned. It is incumbent on all business executives, managers and staff to have a solid understanding of, and keen interest in cyber-threats. Only when a unified, well architected cyber-risk framework is implemented organisation-wide, backed by universally high degree of staff and management engagement, will the risks be optimally treated.
Irrespective what strategies your organisation adopts in response to cyber-threats, remember that:
Responsibility can be delegated or outsourced, however accountability cannot.
The question is: Who is accountable for managing your organisation’s digital and cyber risks? The correct answer is: You are, and all others within your organisation.