How new technology has changed the cyber risk landscape

Highly visible data breaches are growing with such frightening regularity, it is easy to understand why business leaders would fear they are losing the battle with cyber attackers. The biggest shift in this space in the past 10 years, and the one that is of most concern to risk managers, is that cyber criminals no longer discriminate between multinationals and small, high street businesses or between a telecommunications giant in Singapore and a tiny textiles factory in York.

DAC Beachcroft partner Hans Allnutt, who leads its cyber risk and breach response team, says we are in the ‘age of Big Data’. He adds: “There are three Vs in Big Data. One is variety, another volume and then velocity. We’ve never before had such a variety of data being held on individuals. It used to be that if you buy something in a supermarket, the supermarket knows that someone bought certain goods at a particular time and spent X amount of money. Now the supermarkets know who it was, what they’re doing, what period of time, where they came from, what they did, what they’re missing in their fridge, what their preferences are and other activities.

“In addition, the volume of that data is enormous. Naturally, that data was always there, but the capacity for companies now to capture it and store it is unprecedented. Then the velocity to transfer that data around the world and use it at speed. That really all builds up to the fact that data has been monetised, so personal data and our privacy is now a commodity. That means it needs protecting, which is a huge issue for risk managers in today’s world.”

Airmic board member Tracey Skinner says new technology has changed the cyber risk landscape in another way, in that the majority of business functions now rely on it. “The volume of business done on the internet in this space versus 10 years ago is completely unrecognisable. Every organisation’s reliance on technology is so much greater. Therefore the likely impact of a cyber attack on any organisation is far greater than it was. The two combined together, coupled with the greater sophistication of the hacker, has created a much greater risk for businesses. Also, there are now hackers with different agendas who are targeting particular organisations for a particular reason, as opposed to 10 years ago when it may have been somebody who just wants to do something for fun or for a little badge of honour. These days, it’s far more serious than that.”

Allnutt says an operational change has altered the risk landscape. “Most people now are paperless. When you are so dependent on electronic systems, that becomes a significant risk for businesses. Technology hasn’t really changed cyber risk. I think it has created it by definition. Modern life is governed by electronic systems. If we can’t have them, if we don’t have access to them, we cannot function. Technology is always going to be new and always developing, but our reliance on those systems is unprecedented. Cyber risk has always been there, but it’s here now at the forefront because of our reliance on those electronic systems.”

Skinner agrees. “Our reliance on IT systems and technology has changed dramatically all across the [Airmic] membership, therefore the risk becomes one for all of us,” she notes.

“Having said that, I believe there is still more of a brand and reputational risk for those delivering services in the technology and telecommunications industry, so they are still at the high end of the exposure. But I don’t really think any organisation, unless they’re completely without any technology, can escape.”

Security by design

One of the key issues for risk managers is that when adopting new technology solutions, there will always be a trade-off between functionality and security. New technology gives a firm the ability to differentiate and gain a competitive advantage. But while there is a temptation to promote the firm’s new functionality above all else, the flipside is there will always be a catch-up on the security side, according to experts.

“The answer is to have a principle of security by design,” says Allnutt. “That is, whenever you’re building anything new or developing anything new, you design security and integrity into that system or project from the start. Of course, the big challenge for risk managers is that this comes with a cost and time burden.”

Another significant development in the cyber risk space is where responsibility lies. Once, it sat squarely with a business’s IT function. These days, however, it is a concern for every employee from the board down. The difficulty for risk managers is not only understanding the risk in the organisation, but also getting all staff to actively engage in the protection of data.

Skinner says: “The challenge for risk managers is truly understanding the risk in the organisation end to end, which means understanding a lot about IT, being engaged with the CIO and really understanding the organisation’s unique weak points and therefore, any possible issues. The challenge doesn’t stop there, because once you get to understand it, you then have to communicate it to your senior management, which again can be an area, depending on the type of business, that they may not have touched on to any great extent before.

“For a board or an operating committee that hasn’t really touched on this space, it’s quite a difficult conversation. Time is always tight and it’s about getting airplay. The usual ‘five slides and you’re out’ approach can sometimes be a challenge when you’re talking about things that they don’t really understand and haven’t really got a handle on.”

Even with buy-in from the board, risk managers must justify the enormous costs of managing cyber risk. “The greatest difficulty is quantifying exposure, justifying expense and assessing the risk,” says Allnutt. “Just as technology changes, so is the law, almost as rapidly at the moment. Putting numbers into what that risk looks like in order to justify expenditure on risk management, be that control, software, systems or insurance, is a real challenge because we’re going into uncharted territory.”

One thing all the experts agree on is that ransomware is the biggest new cyber threat facing businesses.

Swiss Re Corporate Solutions claims expert Catherine Lyle says: “It is safe to say that 2016 is the year of ransomware. This is a quick and easy way for a criminal to make money. They freeze the system and say: ‘Pay us or you won’t be able to do business.’

“We’re also seeing a lot more hacktivism, where a person or a group may disagree with how the company is doing business and will hack in and cause either financial harm or embarrassment to a company because of the position that that company takes.”

She adds: “Criminals stay one step ahead and all we can do is try to keep our technology ahead of the crimes and our response moving faster, so that we can shut down and narrow down the timeframe of a cyber event.”

Scott Stransky, manager and principal scientist at risk modelling firm AIR Worldwide, says it is important to remember that where there are challenges, there are also opportunities for savvy businesses.

“I think there are all sorts of challenges around this risk, but that also leads to big opportunities. There is a challenge in figuring out where the next breach will come from. I don’t think anybody could predict what the next big event will be. The challenge is managing for any type of breach, any type of eventuality. We believe that by understanding what would happen if a cloud goes down or if a payment processor goes down, companies again could become more resilient to those types of events.”