Concerns about cyber security are nothing new. Elena Kvochko (@elenakvochko), a cyber security expert, observes, “Cyber security has long become a standing issue for boardrooms, a core focus area for major corporations.”[1] What is surprising is that cyber security only made it into the top ten list of global risks a few years ago. Kvochko reports, “The perceived risk of cyber-attacks is so great that [in 2015] for the first time, it was categorized by 1,400 business leaders worldwide as one of the top 10 risks, among economic slowdown, increasing competition and property damage, according to the AON Global Risk Management Report.” When the study was released, Stephen Cross, Chief Innovations Officer at the company, stated, “Modeling of cyber risk is complex and difficult as it lacks sufficient historical data coupled with the fact that such data is captured in a sporadic and unstructured [manner]. It is also a very fast moving target. How do you adequately forecast for a cyber hurricane? Your cyber security is as strong as the weakest link in your supply chain. … Given the increasingly connected and digital world of trade and commerce, how do your executives cover all the bases and how do you evaluate the trade off between lower cost suppliers with the security standards you really need? Cyber exposure and failure to address it immediately and adequately can in fact be a catalyst to practically all of the top 10 risks.”[2]
Cyber Threats are both External and Internal
External Threats
Deloitte analysts note, “Widespread initiatives around customer analytics, cloud integration, connected devices, and digital payment technology are likely leaving businesses increasingly exposed to cyber threats. Some threats, such as credit card fraud and identity theft, are becoming all too familiar in today’s marketplace and can be significantly detrimental to customer trust and brand reputation. … Businesses that have direct contact with consumers, such as retailers, restaurants, and consumer product companies, should consider taking the proper precautions to mitigate cyber risk during this period of digital transformation. Their growing technology footprint, along with the accelerating pace of change in business, may have a dramatic impact on the breadth and complexity of the cyber risks consumer businesses will likely need to address over the next decade.”[3] Companies understand the dangers posed by hackers and other nefarious individuals. Recent ransomware attacks have brought cyber security risks into sharp focus. In the supply chain sector, suppliers can be a significant point of vulnerability because their security safeguards may not be as robust as those employed by the companies they supply. Sydney Lazarus reports a recent survey found 41% of the executives indicate their companies use supplier portals.[4] Hackers can use these portals as back doors when they identify suppliers with cyber security vulnerabilities. As the cyber threat grows, the global economy, not just companies, are at risk. Dale Walker (@Dale_A_Walker) reports, “A major global cyber attack could cost the worldwide economy £40 billion [$52.4 billion], with the damage being akin to a catastrophic natural disaster, according to a report by Lloyd’s of London. As much as £34 billion of that total cost may not be covered by cyber insurance policies, as many companies are underinsuring their systems.”[5] The report notes that one of the most recent ransomware attacks — WannaCry attacks — “cost of roughly £6 billion globally.” The greatest cost is not having to pay ransoms to unlock data. According to Walker, “The real economic cost is likely to come from network downtime, supply chain disruption, and system repairs.”
Internal Threats
Every company is concerned about malicious acts by nefarious hackers; but, too often, they fail to realize the greatest threats may be internal. Fortunately, that situation is changing. Brian Groom (@GroomB) reports, “Companies are increasingly aware that the way they manage people is often at the root of these crises. … People risk can range from sabotage or fraud to poor training, strategic miscalculations, lax safety rules or simple mistakes such as opening a virus-infected email. … The problem multiplies as a business becomes bigger, more complex and more global.”[6] Unfortunately, careful hiring and extensive training, while important, won’t eliminate human threats to cyber security. Groom notes, “Companies have put a lot of effort into processes to protect themselves, including enterprise risk management, or ERM, systems and there is a global standard for risk management, ISO 31000. These can give a false sense of security, however, because they do not take full account of the unpredictability of human behavior.” Matt Ingman, UKI Marketing Manager at Basware, asks, “Is your business inadvertently handing over the keys to its safe to unscrupulous employees or even total strangers?”[7] It’s not the inadvertent opening of an email attachment he’s concerned about. His concern is the deliberate act of fraud — which can also be a breach of cyber security. He adds, “Fraud isn’t 100 percent preventable — deception and opportunism are part of human nature. But there are steps you can take to deter and detect fraudulent attempts through continuous monitoring and surveillance.” Like other areas that involve cyber threats, fraud can be addressed using technology. “It can be labor-intensive to proactively carry out manual, spreadsheet-based analyses,” Ingman writes, “that’s why organizations are adopting analytics solutions that use complex algorithms to do the heavy lifting of unearthing suspicious activity.”
What can Companies Do?
Ingman’s recommendation to use technology to reduce cyber risks is being echoed by others. For example, Deloitte analysts also recommend proactive monitoring. Below are some other recommendations Deloitte analysts suggest companies adopt. They are:
- Be secure: Take a measured, risk-based approach to what is secured and how to secure it. This includes managing cyber risks as a team and increasing preparedness by building cyber risk management strategies in the enterprise and emerging technologies as they are deployed.
- Be vigilant: Monitor systems, applications, people, and the outside environment to detect incidents more effectively. This includes developing situational awareness and threat intelligence to understand harmful behavior and top risks to the organization, and actively monitoring the dynamic threat landscape.
- Be resilient: Be prepared for incidents and decrease their business impact by improving organizational preparedness to address cyber incidents before they escalate. This also includes capturing lessons learned, improving security controls, and returning to business as usual as quickly as possible.
They add, “Companies should consider balancing their expanding digital footprints with a growing focus on cyber risk. Emerging technologies are often attractive avenues of opportunity for cyber criminals looking to expose weaknesses in an organization’s digital ecosystem.”
Summary
Deloitte analysts conclude, “To stay competitive in today’s marketplace and effectively compete in a digital world, many consumer businesses are pursuing a wide range of technology-based initiatives that can increase the opportunity for cyber risk.” To counter those risks they assert “businesses should remain secure, vigilant, and resilient.” Groom believes too many company fool themselves into thinking they have strong cyber security defenses. He quotes the late Richard Feynman, a physics Nobel laureate, who insisted, “The first principle is that you must not fool yourself — and you are the easiest person to fool.”
Footnotes
[1] Elena Kvochko, “Cyber Risk As A Top 10 Global Risk for Businesses,” Forbes, 14 November 2015.
[2] Ibid.
[3] Sean Peasley, Kiran Mantha, Vikram Rao, Curt Fedder, and Marcello Gasdia, “Cyber risk in consumer business,” Deloitte University Press, 15 June 2017.
[4] Sydney Lazarus, “State of Risk 2017: Procurement Needs to Be More Proactive About Supply Chain Risk Management,” Spend Matters, 11 July 2017.
[5] Dale Walker, “Cyber attacks could cost the global economy £40 billion,” ITPro, 17 July 2017.
[6] Brian Groom, “When the workforce is the weakest link,” Financial Times, 21 November 2016.
[7] Matt Ingman, “Detecting fraud by numbers,” Supply Chain Digital, 9 September 2016.