While the winter storms that hit the UK and Europe in the last week of February may have temporarily raised the spectre of traditional risks to business continuity, these are still being overtaken on the corporate ‘worry list’ by a more modern threat – that of cyber risk.
Ironically, while the development of networked computer systems has helped mitigate some of the old risks (e.g. by allowing staff to work from home in bad weather), they have brought risks of their own and new issues to consider.
According to the Allianz risk barometer 2018, cyber incidents have become the most feared trigger for business interruptions – and business interruptions in general ranks as the most important global risk for the sixth year in a row.
As with many enterprise risks, cyber incidents are interconnected risks and so-called ‘cyber hurricane’ events, where hackers disrupt large numbers of companies through common internet infrastructure dependencies, are increasing.
Is your cybersecurity ready?
The Hiscox cyber readiness report 2018, which looked at more than 4,100 organisations across the UK, USA, Germany, The Netherlands and Spain, found that companies in Europe are the least prepared for cyberattacks and should strengthen their defences. The organisations’ cybersecurity readiness was measured according to the quality of their strategy and execution, with respondents rated as either ‘cyber novices’, ‘cyber intermediates’ or ‘cyber experts’. Unfortunately nearly three-quarters fell into the novice category and only 11 per cent qualified as experts.
While organisations may not quite be cybersecurity ready yet, cyber risk is at least on the radar for most risk managers, with 66 per cent of Hiscox’ respondents ranking cyber threat alongside fraud as the top risks to their business.
Recognising all the risks
According to MetricStream’s recent Moving up the IT risk management maturity curve survey of companies across Europe, the US, and Canada, the top five IT threats and risks to business over the last two years were named as malware infections, security breaches, compliance violations and regulatory actions, account phishing, and spoofs of company executives.
Respondents reported relatively high levels of maturity on the capability maturity model integration scale (CMMI level three or higher) in IT risk identification and assessments, standardised documentation of processes and controls, control design and assessments, and IT risk monitoring and reporting.
However, 51 per cent reported a CMMI maturity of just level one or two out of a possible five when it came to IT risk management training. The report authors state that this lack of maturity could prove disastrous, as poorly trained employees fall prey more easily to social engineering attacks such as phishing which, in turn, open the door to larger attacks on enterprise security.
It’s not you, it’s me
While the risk from criminal acts is clear, Allianz’s risk barometer states that a more frequent cause of cyber business interruption is technical failure or employee error. It cites an example from February 2017 when due to human error Amazon suffered an outage of its cloud storage service for four hours, impacting a number of internet services, websites and other businesses. Companies in the S&P 500 stock market index dependant on Amazon’s services reportedly lost approximately $150m as a result.
So could the biggest risk to cyber security actually come from inside, whether intentional or not? The answer could be yes, according to the recent report CEO disconnect is weakening cybersecurity 2018, from Dow Jones Customer Intelligence/Centrify, which showed that 60 per cent of CEOs are investing most in malware protection, yet 81 per cent of breaches exploit identity.
While CEOs continue to believe that malware and other endpoint security solutions are still the answer to protecting their organisations, their data, their customers, and their brand reputations, the Centrify report says that technical officers on the front lines of security know a different reality: identity breaches — including privileged user identity attacks and default, stolen or weak passwords — are the biggest threat.
The authors conclude that this disconnect is resulting in misaligned priorities and strategies, as well as mis-investments in cybersecurity solutions, which are weakening security.
Beating the risk of cyber threats
According to Centrify, leaders in all parts of a business would do well to share their perspectives and contribute their expertise on the issue of cybersecurity threats — as this is the only way an organisation can gain a clear picture of the real risks and deploy resources accordingly.
Risk managers are well placed to help their chief officers to consider every type of cyber risk, and ensure that they don’t just measure incidents in terms of the financial cost of preventing or fixing problems – but that they also keep in mind the cost of the inevitable negative PR and reputation damage should business grind to a halt or sensitive information find its way into the wrong hands. As Centrify puts it: “While bottom-line considerations fall to them, they are in danger of being penny-wise and pound-foolish if they fail to consider the impact of reputational damage.”