Our Cyber Dependency
Business today depends on the cloud. But what the world has come to call the “cloud” is not really a cloud. It is a symbol for global data connections too numerous and complex to diagram. As businesses outsource IT services to myriad specialist vendors, the connections become even cloudier.
It’s not just websites. Phones, buildings, and cars connect to the cloud. This will only increase, as we find more ways for data-driven devices and appliances to make our lives easier.
Since 2009, a powerful search engine, Shodan, has been pinpointing every connected device around the world. Hackers have used Shodan to gain access to bank buildings, conference halls, apartment buildings, hotels, and even Google’s Australian headquarters.
In our “internet of things”, it looks like nothing in the cloud is perfectly safe, and companies are connected in ways they don’t realize. Not even those companies we regard as bastions of the internet—Google, Apple, eBay— are invincible.
The Criminal Hacker
In the past decade, criminal hackers have sent thousands of successful viruses, Trojans, malware, and other malicious codes into corporate systems, government facilities, personal computers, and smartphones. They steal credit card data, military airplane blueprints, corporate secrets, consumer identities, and much more.
Concerned about the potential impact of cyber attacks on critical infrastructure (CI), the European Commission has proposed that all CI operators publish attacks on their systems in an official register. This will enable national governments to monitor such attacks, and try to prevent them from spreading.
In fact, Deutsche Telekom (DT) has already installed electronic traps, called honeypots, across its systems worldwide. Honeypots attract hackers by appearing to offer valuable data. In reality, they are isolated from a company’s network. They are constantly monitored, so that companies can record and analyze each attack and report it to authorities. The numbers are staggering. DT reports an average of 800,000 separate attacks each day.
Not all attacks lead to breaches. However, according to the 2014 IBM Poneman cyber report, every 2 years, 22% of companies suffer a data breach, each one leaking up to 100,000 records.
How many of these breaches do companies actually detect? Less than 1%, and almost always too late to prevent data loss.
The Accidental Hacker
Big hacking incidents are so prominent in the media, many companies don’t realize that external hackers only create 40% of breaches.
30% of breaches are caused by employees and contractors. That is substantial!
Negligence is the most common problem. It can be as simple as an employee or consultant connecting to a corporate server through a smartphone with malware on it. With 2 million malware and high-risk mobile applications, that is an increasingly common threat. Very often, failure to maintain IT systems and software also leaves them exposed to any viruses or other malicious codes that come along.
Cloudy Connections, Accumulated Risk
Negligence can be difficult to control in a cloud of outsourced connections.
Companies, even critical financial institutions, tend to use a high proportion of contractors for information technology (IT) services. IT evolves rapidly, and outsourcing allows the flexibility of hiring specialists as required.
IT outsourcing connects companies first to contractors, and then to unidentified subcontractors, creating chains of “insider” cyber risk. Corporate email subcontracting is very common. A virus in an email subcontractor’s system could quickly spread to thousands of multinationals.
How many companies know the names, much less the cyber security protocols, of all their subcontractors around the world? How many private, unprotected devices are connected to subcontractors, connected to contractors, connected to multinationals? The possibility of a negligent breach grows with each connection.
The Privileged Hacker
Negligence is one insider challenge; the other is deliberate misuse. Insider misuse produces 8% of recorded breaches.
Most external hackers are just probing company systems and hoping to get lucky. Insider spies and IT consultants don’t need to get lucky, because they know exactly where to find the most valuable data: innovative product designs and other intellectual property (IP), payment and bank details, and confidential client data.
How do they do it? C-Suiters with memory sticks, engineers emailing blueprints to their personal computers, system administrators posing as other users on the system, call-center employees writing customer credit card numbers down—from top to bottom, traitors get creative. In 70% of cases, it takes companies days, weeks, months, or years to discover the leaks.
Insider espionage, sabotage, and theft: Why do they do it? 10% simply have a grudge against the company, usually because they have been fired. It is no shock that 72% of insider breaches are financially motivated. Employees and consultants steal secret data to start their own companies, sell it to competitors, or deliver it as a gift to new employers. In fact, 79% of IP thefts occur in the month after an employee resigns.
Because of their targeted approach, insiders can deal a blow to the company’s bottom line that lasts for years.
Hitting the Bottom Line
The average cost of a corporate breach is USD 3.5 million, and costs can rise much higher.
As of 2014, a single 2011 breach has cost the affected company USD 200 million. One 2013 breach exposed the usernames, passwords, and credit card data of 110 million people. The costs to that company are predicted to reach USD 1 billion. These are just two of the criminal hacking breaches that get more expensive each year.
Insider breaches are more difficult to quantify. That is partly because they are embarrassing, and rarely reported. It is also because they so often concern stolen IP. How much exclusive business does a company loses when a single, innovative product design is stolen? Possibly millions.
Match the Cyber Defense to the Dependency
It is easy to understand why the world has become cyber dependent. The cloud makes global business faster and easier. Unfortunately, as our cyber dependency grows, so does the potential cost of a data breach. The need for cyber defenses to match our cyber dependency grows more urgent every day.
In addition to due diligence and improved cyber security protocols, companies should prepare for the cost of a breach. Since most companies can’t afford to set aside USD 200 million for a potential cyber disaster, insurance is critical. Yet, right now, 72% of European companies, and 79% of German firms, have no cyber insurance, according to the Federation of European Risk Management Associations (FERMA). Why is that?
Cyber insurance, like cyber risk, has been a cloudy topic. Initially insurers were as slow as everyone else to realize the scale and urgency of cyber risk. That is changing.
Cyber policies now include not only extensive coverage, but also emergency support, including 24-hour global hotlines. When a breach occurs, insurers can respond immediately, connecting companies to breach response services at preferred rates. These include: computer forensic experts, crisis response experts, credit and ID monitoring firms, and legal counsel. Forensics are especially important to recovering stolen data.
Cyber coverage now compensates for the heavy costs of data recovery, cyber extortion, privacy and security liability, emergency response, computer forensics, crisis management, reputation protection, notification, and legal defense. Cyber insurance also covers the business interruption loss and extra expenses which are not covered by standard property insurance.
Because cyber risk crosses business lines, the cyber insurance taskforce must also include seasoned claims experts from liability, property, and financial lines. They will be able to work hand in hand with clients to coordinate a complete claims solution as quickly as possible. A swift claims response is critical to business recovery.
With a 22% corporate cyber breach rate, it is time to face the bottom-line losses hiding in the cloud, and take concrete steps to protect against them. When a breach does occur, strong insurance partners can help companies recover data, reduce losses, protect their reputations, and resume business quickly.
|
Cyber Risk Checklist
It is true that cyber risk is more complex than ever. It has to be mapped and measured accurately, for insurers to be able to offer appropriate cyber policies.
- Companies should create a cyber risk map, starting with the link in the cyber chain closest to them. That is an internal risk. Then they should move through their chain of contractors and subcontractors, inspecting security protocols and risk aggregation nodes.
- Once all possible risk has been mapped, the probability and cost of a breach or system failure at each risk node should be measured, and a cost assigned. Adding all of the costs up will determine maximum cost exposure. This is also a good time to review the risks. Can any of them be reduced by improving systems, or hiring different contractors or subcontractors?
- Next, companies should check their cyber risks against existing liability, property, and reputational risk policies. Are there coverage gaps for non-physical business interruption, third-party business interruption, or other risks? The more detailed the risk map, the better insurers can help clarify whether existing coverage is sufficient for certain risks, or whether cyber coverage is necessary.
- Companies may decide that they want to retain risk up to a limit, so they should define a maximum deductible, and discuss it with insurers.
- With a solid cyber risk map and a defined deductible, securing a cyber policy will then be a matter of shopping for the best coverage at the most reasonable price.
|
