In markets across the globe, cyber incidents make headlines. The data breach at super market chain Target in the US, where 40 million card accounts were stolen through a dedicated Point of sale attack, has caught worldwide attention. The theft of over $25m by intruding the infrastructure of numerous financial institutions in Russia has taken the affected corporations by surprise.
Estimates range from $400bn to $600bn cost to the global economy resulting from cybercrime.
And while harm to the economy is massive, Cyber crime increases in scale. Just last year, breaches reported with more than 10 million identities exposed came close to ten.
Apart from scale, attackers are becoming more focused. They know what they want, and they prepare their attacks well.
Above all, no industry is immune. Certain sectors like the financial industry or retail chains which process huge amounts of payment card data will be targeted above average.
Still, the potential for extortion of the healthcare industry through leakage of patient’s data, or the possibility of insider misuse through a disgruntled employee in a medium sized company is huge.
Threats come from every angle of the Cyber vectors: Tools and services to facilitate attacks can be purchased online for less than $500. Exploit kits, ransomware, malware, denial of service attacks – you name it. And sources of attacks can be internal, through a company’s own workforce, through external attackers, or in collusion.
Interestingly enough, South Africa is moving up the Cyber risk landscape. In 2014, locations hosting higher than average number of phishing sites per 1.000 internet hosts included Ukraine, Brazil, and South Africa. And looking at those countries which reported more than 20 monthly phishing attempts per 1.000 IP addresses, South Africa ranks amongst the top ten, together with the likes of Italy, France, Belgium, and Spain.
So why worry?
After all, all those Cyber attackers only want your best, don’t they? Your money. And they will look for the easiest way to go after it. Is your company entrusted with critical client data? You can be blackmailed with a forced data leakage. Is it most rewarding to steal your customer’s credit card data? They will go after that. Are you heavily dependent on 24/7/365 online services? A denial of service attack will hit you hard.
In addition to the actual financial loss, the costs to defend against a data breach are substantial. Forensic experts, lawyers, public relations consultants will have to be involved. Customers whose data have been stolen will have to be notified, and hotline support provided to ensure transparency at all levels. Online trading might have to be taken offline, causing massive costs through business interruption.
And of those becoming subject to a Cyber-attack, companies which have a crisis response plan can count themselves lucky. A tried and tested crisis response plan, please.
Why? Because when a data breach happens, nothing less than a company’s reputation is at risk. As we all know, it takes years to establish a good reputation, and only five minutes to destroy it.
If you are not in a position to react swiftly – that is: to involve all necessary parties to contain the attack, to be transparent to the public at all times, and keep your customers informed – people might just think you have no clue what you are doing. And usually, people do not like to trade with companies which don’t know what they are doing.
So, what can you do? It’s easy, and not easy.
The easy part is to be prepared: Have a Computer Security Incident Response Plan in place before you need it. Define the roles, responsibilities and procedures of the Incident Response function within your organisation. Review your Cyber insurance: are the important perils covered, do you have the right crisis response team?
Test your incident response competencies, identify gaps and amend where needed. Get full management and executive leadership buy-in to manage Cyber risks. Have a communications plan: who must be informed internally (ie your IT, senior leadership, Public Relations, legal, and other business units). Who needs to be involved externally: your customers, partners, regulators.
The not so easy part is to be aware, and create a culture of awareness in your corporation. It’s not easy because it takes longer to embed in your daily processes and operations. But it’s doable.
Regularly review your threat landscape: How can you be attacked, and where can you be attacked? Regularly review publicly available information about developments in your industry, Cyber incidents. Stay in touch with experts, visit forums and workshops. Make Cyber security a priority: make it a topic in Executive meetings, invite your IT management, and invite external partners.
Regularly compare your IT security with evolving trends: Are your IT processes up to date, your soft and hardware secure? Do they pass stress testing? What risk factors were identified and how do you need to follow up?
And last but not least, do your employees know what to do, whom to call when they suspect a data breach?
Because cyber threats are constantly evolving. The new perils are already on the horizon.
The rapid rise of mobile banking, the storage of company’s big data on cloud services, and internet of things attacks against smart televisions, automobiles, and medical equipment all pose questions on how consumers, corporations and manufacturers alike need to prioritise Cyber security.
Johannes Gschossmann, Allianz Senior Underwriter of Financial Lines