As the cyber-security threat grows, a reliance on defensive technologies is no longer an option. Changes to corporate culture and investment in detection, response and cyber-insurance cover are now critical elements of any security risk management policy.
Global firms are embracing innovative technologies because they have to. The search for cost savings is pushing cloud service delivery, back-office automation and business process re-engineering to the top of the boardroom agenda.
Simultaneous requirements for increased speed, efficiency and accelerated growth mean that improvements in Machine Learning, Unified Communications and the Internet of Things are being embraced across industries, often for the first time.
These technological advances are changing the face of enterprise. They allow data to flow efficiently between offices, workers, computers and devices faster than ever before. They connect scattered, mobile populations of workers and machines. They uncover value in this data and in these connections.
Ultimately, they deliver the new products, customer experiences and radical ‘agile’ workflows that are at the centre of current commercial thinking.
The Price of Innovation
But innovations like these come at a cost. When an enterprise spreads outside the traditional confines of its workplaces and datacentres to meet staff and customers wherever they may be, it loses control of its security. As third party platforms, applications and devices proliferate and connect, they present the cyber-criminal with an ever-growing ‘attack surface’ that is almost impossible to patrol.
Yet just as enterprise defences dissolve , criminals are proving that innovation is not the preserve of legitimate business. Some gangs are now operating at a more advanced technical and experimental level than some companies could possibly hope for.
The recent explosion in ransomware is a case in point.
Ransomware is a type of malware (or malicious software) that either denies access to a victim’s data or threatens to make it public unless a ransom is paid. It has been with us for a surprisingly long time – at least since 1989 – but its use as an attack-tool has grown exponentially in recent times. While accounts vary, between 2010 and 2016, ransomware grew from one or two releases a year, up to 25 new variants per month.
This new breed of malware often takes control of machines and data using cryptography that is so state-of-the-art it is impossible to recover from. And that is only half of the story. The criminals behind this malware are also using highly sophisticated techniques to manipulate employees into giving them access to a company’s computer systems – known as ‘phishing’ attacks.
The Data Breach Investigations Report (DBIR) from enterprise network and security specialist Verizon states that phishing was used in more than 90% of the 42,000 security incidents and 2,000 confirmed breaches across 84 countries it studied.
From receptionists to CEOs, enterprise employees receive emails every day that look and sound genuine – but are in reality phishing attempts. A quick click on an apparently benign link or attachment connects a victim’s computer to the malware, which spreads to other computers. An entire organization can be locked out of its data in a matter of minutes.
Put together the increased exposure of enterprise to attack with the growing innovation among cyber-criminals and it is no longer a question of ‘when’ but ‘how often’ cyber-criminals will cause your company damage. A recent Accenture survey found that among 2,000 security officers representing large corporations around the world, one in three targeted attacks was successful .
The consequences for enterprise are now devastating on a regular basis. The attacks on power companies and nuclear power plants, banks, military contractors, broadcasters, pharmaceutical firms, manufacturers, logistics companies, airlines and retailers in 2016 and 2017 show the breadth of the problem. Losses running into the hundreds of millions of pounds indicate the extent.
But the fallout from the cyber-threat has moved beyond balance sheets. It is now affecting senior executives directly – their jobs, their reputations, and the reputations of their businesses.
The Cyber-Threat To Executives Is Now Personal
As one of the world’s largest consumer credit agencies, Equifax, reeled from a 2017 cyber-attack that compromised data held on 143 million Americans, it lost board member after board member. In September last year, its CEO retired from his post, following in the footsteps of the company’s CIO and CSO.
At the beginning of 2018 , the company reported that costs related to the breach would reach nearly half a billion dollars by the end of 2018 – making it the most expensive reported attack in history.
Events like these could not make it clearer that if you have anything to do with the security policy, legal obligations, compliance or risk management of a major business, combating a mutating cyber-threat ought to be one of your main priorities – even if cyber-security isn’t yet high on your risk register.
New risks are emerging too. Company directors and officers are now entering the relatively uncharted territory of personal liability if they don’t comply with new regulation.
“Regulatory compliance regimes around the world are quickly catching up with the threat. Compliance at senior management level is absolutely critical,” says Erica Constance, Cyber Portfolio Manager at QBE European Operations. “GDPR comes into force in May and companies must notify regulators within 72 hours of a breach being detected. These issues are creeping up on global business and adding to potential exposure.”
A Holistic Cyber-Response
Given the speed with which criminals are changing the security landscape, what should the enterprise do to respond? Companies have traditionally expended the majority of their efforts on defensive technology – focusing on the firewalls, anti-virus software, intrusion detection and malware detonation sandboxes that protect devices and networks. Board members, risk managers and the IT security community need to adopt a more holistic approach.
Four Steps To Better Protection
- It starts with cultural change. Employee security awareness programmes are critical if businesses are to defend against attack. Mock phishing campaigns, regular password changes, clear, enforced employee access-control and the segregation of systems are the first lines of defence.
- Progressive organizations have begun to incorporate security information and event management systems (SIEMs) into their security architecture. If criminals have used your employees to get past your outer defences, these allow your security teams to visualize and observe active adversaries once they are inside your network.
- But detection is not enough. Large organizations must markedly improve their in-house threat intelligence, the situational awareness of their teams, and their incident response management skills. This should be in cooperation with law enforcement, technology partners and managed security services firms.
- Companies need to partner with specialist global cyber-insurers like QBE to manage the financial, legal and public relations fallout of a major breach.
Without adding these four elements to your defensive posture, the resulting security and risk policy will not match the actual exposure facing your business.
But how do executives and managers actually put a figure on cyber-risk?
While there are scant studies on the topic, some numbers are emerging that make for alarming reading. According to a study of 419 companies around the world conducted by Ponemon Institute and IBM, the average total cost of a data breach is $3.62 million (£1.7 million). The average cost per lost or stolen record is a staggering $141 (£100).
And the likelihood of a material data breach recurring at the same business in the next two years? 27.7%
“Working out potential losses from cyber-attack is a big piece of work for a major business to undertake,” says Constance. “But in many cases it is like the elephant in the room. Rather than go through the exercise, companies are waiting to see how much it costs their peers instead. And that is really dangerous.”
Comprehensive Cyber Protection
QBE is a leader in cyber-risk underwriting, providing world-class cyber-security crisis management and claims resolution for enterprise. It recognises that no one firm has the same cyber-risk, and offers a full service claims solution that incorporates not only cover, but access to immediate support from some of the world’s most experienced cyber-security, legal and public relations companies according to the type and severity of attack.
While QBE’s Cyber-Insurance cover reflects the current cyber-security battlefield, it is this crisis response that will matter most to board members and IT security teams on ‘day zero’.
“Our crisis solution is available 24 hours, seven days a week, 365 days a year,” says Constance. “It doesn’t matter if it is a Friday night or at 2am – there will be an expert at the other end of the line, ready to gather the response and mitigation resources necessary.”
IT forensic teams are available to work with you to establish the cause and extent of the cyber risk or cyber extortion threat. They can assess your network security and recommend improvements. If necessary they can store data at a third-party host location should your systems remain vulnerable.
Legal specialists can assess whether the compromise puts you in breach of data protection law. If so, they will help you notify regulators and affected individuals, as well as support you in responding to any privacy regulator investigation.
Crisis communications is often as important a shield as any other to blunt the effects of an attack. QBE Cyber-Insurance cover means that crisis communication specialists are on hand to avert or mitigate significant damage to your brands and business operations at each stage of the response process.
“Some of our customers will have some of these aspects completely covered by in-house teams or outsourced agencies,” says Constance. “But many won’t have response and mitigation systems in-house or vendors in place to meet this new threat environment. They need support to make the right decisions once a breach has been detected, so we bring together some of the most experienced companies in the world to help businesses when they need it most.”
These companies include law firms Norton Rose Fulbright and RPC, IT forensics and incident response teams from Verizon, STORM Guidance and Eurofins, credit and identity theft monitoring from Experian, and crisis communications specialists FleishmanHillard Fishburn and Mattison Public Relations.
“The most important thing is that we are able to offer help when and where our customers need it. If a customer is a global company, we have support from specialist businesses that are themselves global. If someone has a breach in the Cayman Islands or the U.S. or Singapore, our partners have the same footprint to deal with it.”
The Most Experience
Crisis response management is key to cyber-insurance today. But the core of QBE’s offering is built on more than that. Its teams around the world have seen almost every kind of attack an insured business might suffer.
In an area of the insurance industry that is so new, this experience in understanding risk is what customers should be demanding of their insurers.
“But board level commitment to the new cyber-security paradigm needs to match,” says Constance. “The reality is that businesses and criminals are in an arms race, and regulatory regimes are becoming more aggressive. Investigating cyber-insurance is no longer enough. It is time to act.”
 Verizon, 2017 - www.verizonenterprise.com/DBIR2017
 In November 2016, Building Confidence: Facing the Cybersecurity Conundrum - https://www.accenture.com/t20161027T195446__w__/us-en/_acnmedia/PDF-35/Accenture-Building-Confidence-Facing-Cybersecurity-Conundrum-Transcript.pdf
 June 2017, Ponemon Institute / IBM – 2017 Cost of Data Breach Study: Global Overview – https://www.ibm.com/security/data-breach