We live in a digital world, where new technology sees more and more everyday items connected to the internet. Businesses obviously need to embrace digital or risk being left behind. However, they need to understand the cyber risks that this usage generates and be prepared to manage it.
Why does cyber risk go beyond IT?
The evolution of systems and the ubiquitous rise of digital technology makes responsibility for cyber-security not just the domain of the IT department, but the entire business – from Board level to frontline.
At the moment, we have around 5 billion connected devices. By 2020, it's likely to be 25 billion.
Greater connectivity within the business environment means that areas and processes such as health and safety, credit, funding, liquidity and operations now face a greater risk of a cyber-attack. This connectivity can increase the speed and size of impact while the re-use of common tech components, including cloud services, can further concentrate the risk.
As connectivity and the internet of things grows, so does the threat level. Attack groups have realised the power and capability that they can have from a remote destination. What we’re also seeing is the growth, and increased commoditisation of specialist cyber-attack skills, with groups outsourcing to acquire the skills needed to carry out attacks on key targets.
What are the implications of a cyber-attack?
The implications of a cyber-attack can be crippling. Loss of, or compromised access to, systems and telephony can impact a business’ ability to service customers and communicate with suppliers and other stakeholders. Operationally and reputationally, both the immediate and longer-term effects of a cyber-attack can lead to loss of business, withdrawal of funding and regulatory fines.
The type of risk a business faces will depend on the industry it operates in. A high trust business could be severely affected by loss or compromise of data, whereas if the systems of a manufacturer of the brake system on an autonomous car or a safety system for an oil rig are compromised, the business could face loss of life. In both circumstances, substantial reputational damage would be incurred, with potential financial penalties also needing to be factored in.
From a financial perspective, businesses can face a number of challenges. If you haven't got credit lines in place and liquid assets available, how do you keep the company operational from a cash perspective until your insurance pays out or until you get your business operations back up and running? There’s also second order financial effects, for example, we’ve seen cyber-attacks leading to market manipulation and falling share prices.
Whilst IT and forensic costs can escalate quickly, business recovery can also drain cash reserves in unanticipated ways, for example, the unexpected operational cost of bringing in additional staff to do things manually. Costs of customer redress and uninsured losses, reputational damage and brand impact, for example through the loss of intellectual property, can also be costly. Attacks which steal or compromise customer data will not only damage a business’ reputation, but with the introduction of the EU GDPR (General Data Protection Regulation), lead to significant financial penalties, potentially up to 4% of global turnover.
Where does the threat come from?
There are various different groups that pose a cyber threat, with a range of motivations. These include:
- Nation states/state sponsored – the most sophisticated attacks typically come from nation state and state sponsored groups and the impact can be destructive and devastating. The NotPetya cyber-attack on Ukraine in 2017, for example, had severe consequences for organisations across Europe.
- Organised criminal gangs – are another sophisticated attack group. Generally their motives are financial, but sometimes they'll be seeking intellectual property or personal data if they can monetise that or cause disruption. These groups are typically run along traditional business lines, so they’re looking to maximise their ROI. They may also be working ‘unofficially’ on behalf of nation states. Ransomware has become particularly attractive to these groups, as it reduces time to cash, and we’ve seen a dramatic rise in ransomware attacks in recent years – from 3.1 million in 2014, to 638 million in 2016.
- Hacktivists – are generally groups or individuals with some sort of political ideology or seeking notoriety for their cause. They typically take over websites, defacing them, promoting some of the other activities that they’re involved in, or actually stopping operations.
- Cyber terrorism – the capability of terrorist groups to carry out cyber-attacks is currently low, but a growing threat, particularly as more devices, cars, transport systems and critical infrastructure are being connected to the Internet. The opportunity to carry out an attack that causes physical disruption is growing.
Is cyber risk just an issue for big businesses?
Cyber risk is a threat facing all businesses today and in the future. Whilst the motivations of attack groups will often mean specific companies are targeted, for example to cause maximum disruption or for notoriety, and larger businesses may be in their sights, the threat to smaller businesses is just as significant. Many of these smaller businesses, for example, are suppliers to large businesses, potentially offering an easier back-door for cyber-attackers through lack of resources or skills.
Although the impact of a cyber-attack can wipe millions off the share price of a large business, change credit ratings and lead to declining customer and stakeholder confidence, the impact for smaller businesses can, relatively, be more devastating and personal. They may not have the cash reserves or ability to liquidate key assets that a larger organisation has, so their ability to weather an attack and return to normal operations successfully will be compromised.
The message for all business, therefore, is to be prepared. Ensure that cyber risk is taken seriously across your organisation, that measures to mitigate that risk are in place such as a financial plan, but also that steps to respond to the attack when it comes are clear and communicated. In that way, your business has a much better chance of recovering.
“Ensure that cyber risk is taken seriously across your organisation, that measures to mitigate that risk are in place, but also that steps to respond to the attack when it comes are clear and communicated.”