Christian Simpson, cyber account underwriter at Allianz, on the growing cyber risk facing businesses of all sizes and what can be done to minimise it
Digitalisation is revolutionising the way businesses operate, bringing benefits such as operational efficiencies and enhanced customer service. However, it also carries risk in the form of potential cyber attack, as hackers become more sophisticated in exploiting network and software vulnerabilities to illegally profit from organisations’ data and intellectual property.
Cyber crime is on the increase and rose by 67% globally over the last five years. No business, large or small is immune to a cyber attack or breach and it’s more important than ever for companies to consider how they might respond in the event of a cyber security incident, plus establish methods to reduce the likelihood of a breach occurring.
The consequences of a cyber security incident can be significant, with losses potentially reaching up to 25% of a company’s revenue. In addition to financial losses arising from the attack or breach itself, there may be other costs resulting from the remediation process and lost sales. Further, a business should consider additional costs such as customer breach notifications, regulatory compliance fines and technical investigation costs.
Where an attack brings down a company’s system, there will be business interruption costs to consider, especially if an attack leads to loss of service or requires downtime to restore services or data. The quicker a breach can be identified and contained, the lesser the impact to operations. However, it seems it’s taking longer for companies to manage such attacks, with the ‘mean time to contain’ having increased from 66 days to 69 days on average.
Reputational damage can be a further by-product of a cyber attack, particularly where a business fails to respond promptly and effectively. This may result in a hit on profits, a fall in share price or even potential management resignations.
Cyber attacks are carried out for a variety of reasons and by individuals fitting all profile types. Attacks may be financially or politically motivated or even committed by a disgruntled current or former employee. Types of attack include hacking, ransomware (where a criminal locks down a computer then demands a ransom to restore it) or distributed denial of service attacks. Today we see the development of more sophisticated and devastating viruses (eg Shamoon) that are designed to wipe clean computer equipment of all data including boot records, which effectively destroys the machine.
While most data breaches are criminally motivated, nearly half of cyber security incidents can be attributed to system glitches or human error. It’s therefore imperative to educate employees on the right behaviours, such as reporting suspicious emails and not clicking on unfamiliar email links. Having business continuity and IT recovery plans in place will also make it easier to respond quickly and effectively if an attack or data breach does occur. Further, directors may also want to consider cyber insurance policies that offer pre-breach and post-incident response services as part of cover.
The old adage ‘prevention is better than cure’ certainly applies to cyber security as no business wants to be in the position where it’s forced to deal with an attack. However, with cyber posing a very real threat to businesses across all sizes and trades, it’s important to understand the risks and take appropriate steps to mitigate them to keep cyber criminals at bay.