Felix Schachter, Insurance Director at 6point6 writes –
Unprecedented times in the current economic environment
We live in a brave new world and if previous post-pandemic growth case studies are to be believed, big changes are ahead in the way business will be conducted and where employees are located. Technology stands to have a more central role in firms across the board and more employees will end up working remotely after the pandemic.
This shift from bricks and mortar to virtual environment carries its own risks, as does sensitive communication channels with clients, employees, and other crucial stakeholders. Put simply, data travel has significantly increased, and when more data moves around, the risk of exposure and damage increases along with it.
Inflation of risks
Last year, a government survey in the UK found that only 16% of boards had an understanding of the cyber threats and challenges that they face; yet more than 90% had an existing cyber strategy in place. This indicates that businesses have plans, pathways, policies and procedures in place, but actually converting these into penetration testings and other pragmatic steps were somewhat to be desired.
A year later, we see a much higher degree of risk of:
- Cyber risks involve not just external threats, but also internal risks emanating from employees misusing data.
- The sophistication of cyber threats has evolved from stealing data to the manipulation of data, which drastically increases the risk as the integrity of the data is now in question.
- Artificial intelligence as a weapon: cyber criminals are leveraging more advanced technology to carry out their attacks. A noteworthy example from Wall Street Journal, when fraudsters used AI-based software to mimic a CEO’s voice to request a cash transfer of £190,000 (approximately $243,000).
- Many business models have evolved from party-counterparty to an ecosystem model, with a number of players larger than two.
- The recent shift to remote working due to self-isolating has raised questions about the resilience of the operating model in several firms.
- In the macro environment too – the economic slowdown increases the motivation to steal data, gain an unfair advantage by manipulating data, commit fraud in areas like insurance claims and others.
Translating into challenging reality
In light of the aforementioned risks, it’s not a surprise that cyber threats are on the rise. Almost half of UK firms (Cybersecurity Breaches 2020 survey) reporting cyber attacks in the past year, with a third of those reporting weekly attacks. Overall, 40% of firms attacked were damaged in terms of financial or reputation. As for internal cyber threats, those tend to be detected too late with wide-sweeping implications that are difficult to contain and reverse the damage once done.
From a financial standpoint, the macro challenge around data security is related to the value of risk, rather than the asset.
Most of us and our insurers look at the value of an asset as a financial indicator used to measure the impact of loss/theft of an asset. BUT – when it comes to data, it’s only part of the picture.
For example, a financial firm had a database containing 10,000 customer names stolen. If we look at the value of the risk, we will likely find the cost of the theft includes the cost of clients taking legal action, regulatory action against the firm, and the opportunity cost of losing clients. Data being stolen or manipulated has far-reaching consequences in terms of money, time, and reputation.
Digital resilience is becoming the order of the day. Having plans and policies is not good enough. This is no longer a minimum to compete in an ever-changing landscape.
What can be done to manage and mitigate these risks, as we move forward into the next couple of weeks and months in an ever-increasing theatre of risks?
Discipline and pragmatism are crucial components in any cyber security strategy
An easy way to look at solutions to cyber challenges is to use a robust framework:
- Simple: to design, understand, and crucially, embed.
- Swift: critical in maximising effectiveness and value of the solution.
- Sustainable: understanding short to long term and enabling platform flexibility.
- Scalable: accommodating risks, business growth, growth in data and platforms
- Social: enabling cyber security in ecosystems of users, effective controls, and costs.
To be able to effectively deploy solutions, it’s paramount to understand the current and potential future threats, and to use the principle of preventative rather than clinical medicine to maximise data health.
This requires experience in dealing with threats, penetration testing, having a robust architecture, and also a strong R&D capability to think today about tomorrow’s threats.
Effective digital resilience is really about being aware of the changing business models after the current crisis, and having an understanding of the value of the risks attached to the assets, thus factoring the amount of spend on protecting a firm’s data.
In the next weeks and months, the overarching driver in many industries won’t be to grow, but rather to protect.