Cyber-related issues are the biggest potential threat to businesses and represent the most lethal challenge to resilience
Businesses have benefited enormously from advances in technology over the last 20 years. The growth of the internet in particular has allowed companies, no matter how small, to have a global presence and to be able to communicate with suppliers and clients instantly, irrespective of geographical location.
The speed of change has been exhilarating and has transformed the way in which almost every company goes about its business.
The advantages are myriad, but come at a price, with cyber risk in its many forms at the forefront of concern for risk professionals and their employers. Foremost among these is the threat to business continuity.
With premises around the world, major multinational corporations are largely shielded from existential physical threats. Damage to or destruction of one property in a single location might cause manufacturing or logistical issues, but these are relatively straightforward problems to overcome. Rarely is this critical.
But failure of an IT system, whether deliberate or otherwise, can have immediate and significant repercussions across an entire business. In the worst case scenario it can be fatally damaging. More likely, it can cause serious business disruption and result not only in considerable financial costs, but also loss of reputation.
“Cyber is an issue for every company,” says Carl Leeman, head of risk at logistics company Katoen Natie. “It is the most critical risk for a lot of firms as they can be affected simultaneously in multiple locations. It is certainly a major risk for us, as all our locations are connected.”
Mitigation strategies are crucial to prevent data breaches and systems failures, says Leeman, who calls cyber insurance “virtually useless”.
“Companies should spend the [insurance] money on the evaluation and study of cyber risk and to take measures to mitigate it instead of just taking out insurance. Insurers will only give you money in case of damage, but will not stop the problem happening in the first place.
“The only good thing about cyber insurance is that it might be an excuse for some companies to start the whole procedure of examining their cyber risk and discuss the issue across the business.”
Getting an outsider’s view
Insurers also lack the technical knowledge to assess a business’s IT vulnerability, according to Leeman.
“We hired an external company to do an audit,” he says. “It took quite some time, they had many meetings with different people in different locations.
“Today we have a view on two things – the really critical issues and the low-hanging fruit. We are working on both. Separate from that there are several other things – we now have a detailed report that covers a lot of aspects of the business, including really annoying things that are very easy to solve.
“I think it should be at the top of the list for any risk manager to work on business continuity as it is always key to have your IT systems operational.”
Dealing with cyber risk effectively in terms of developing resilience requires three things, according to James McAlister, of organisational resilience consultancy Crisis Prepared.
“It is partly a technical solution, partly investment from the C-suite to say this is what they want to do, and then it is a lot to do about the education of your employees.”
McAlister says he is working with many companies on determining the crisis decision process following a cyber attack.
“Education and training of your personnel is really important,” McAlister says. “The easiest way for malware or a Trojan to get into your business is via your own staff – for example by opening an email attachment loaded with the virus.”
McAlister says that while it is also important to make sure that companies invest in up to date anti-virus software, continuous scrutiny is critical.
“Have your own red team crawl all over your network and servers constantly looking for suspicious code,” he says.
While this can be carried out in-house, help from third parties can be more effective, according to McAlister, particularly for tasks such as external penetration “where you can be so close to the trees you cannot see the wood anymore”.
“If you go to a third-party vendor there is much more chance of them picking up stuff,” he says.
You could be next
“It is about knowing what is out there and being vigilant. It is about horizon scanning, looking at other industries like yours and looking at what is happening to them and working on the realisation that – although it has not yet happened to you – you could be next.”
One of the issues that has increased vulnerability to cyber threats historically has been a reluctance by some companies to share information about hacking for fear of damage to their business reputation by admitting to being a victim.
While companies are still largely unwilling to divulge this information publicly, it is being distributed quietly, says McAlister.
“There are lots of business continuity sector specific groups such as finance,” he says. “I know they get together and talk about cyber issues. Perhaps they do not do this in the main presentations, but they do exchange information nonetheless.”
Financial institutions are especially sensitive in this area. “I work regularly with banks and maybe only half or fewer of cyber attacks actually gets reported as they would rather take the financial hit than suffer any reputational damage.
“I can completely understand why they think like that. You only have to look at what happened to TalkTalk – they lost 100,000 customers within a few days of the incident.”
Fear of the consequences of a cyber breach becoming public knowledge stops many companies speaking out about IT incidents.
It is better to be proactive rather than reactive in terms of crisis communications and dealing with the media, McAlister says.
“It only ever becomes an issue when it gets into the public domain and customers and shareholders become aware,” he says.
“You are much better off going to them directly in terms of problems such as cyber rather than waiting to be outed.
“You will get through it if you come out and you are open and honest, but if there is a hint that you are trying to cover up something, then you will have a massive problem.”