The global threat environment
There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector. Left unchecked it can bring corporations and countries to their knees.
According to Professor Greg Austin, director of the Australian Centre for Cyber Security, one of the major challenges is that the full dimensions of the problem are still being assessed globally. But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace, which indicates the scale and seriousness of the global problem.
China also has stepped up its efforts in the area according to Prof Austin, under the direct control of the President, and introduced a draft bill on cyber security.
In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion. Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem.
It is widely acknowledged that there is a problem, and senior managers and boards are increasingly concerned.
A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat – edging out asset misappropriation for the first time.
Prof Austin says that eight vectors of attack are currently in evidence - software, hardware, networks, payload, people, power supply, policy and ecosystem. In addition nine major sources of threats have been identified, and Symantec data suggests there are as many as 30 different threat types.
These variables in combination make it difficult, if not impossible, to prevent any and all attacks. Prof Austin’s warnings are stark; “The criminals are always ahead of you or I…the bad news is that governments are well behind criminals and corporates.”
While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low, the probability of the consequences being high in a handful of cases are extremely high. And that, he says, is what organisations need to prepare for.
|Organisations attacked once are three times more likely
to be attacked again - Symantec
45x more cyber ransom events year on year - Symantec
Cyber risk; are you properly prepared?
There are four key questions that every organisation needs to address regarding cyber risk and protection:
- What can go wrong?
- How bad can it be?
- How am I protected?
- Will my insurance work?
Assessing the organisational risk profile requires input from multiple stakeholders including the Chief Financial Officer, Chief Information Security Officers, risk management head, and legal counsel. External consultants can also provide a fresh lens through which to explore exposure.
Knowing the risk is one thing – dealing with it effectively also demands the support of the most senior management and board. Effective security requires a whole-organisation commitment from the top down.
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations “ought reasonably to have been aware” which suggests regulators may penalise companies found to have inadequate security systems. It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries.
Cyber security is a critical issue for organisations of every scale and in every sector. Robust and comprehensive security frameworks, a well-crafted response plan, and effective cyber insurance, developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge.
Aon cyber security summit, Aug 16
Aon’s Cyber Risk Symposium held across Australia recently, delivered important clarity regarding the global threat environment. Working with partners DLA Piper and Symantec, and leading cyber security experts, Aon reflected on the legal influences on the cyber risk landscape and the technology solutions and strategies available. It also explored the growing role played by cyber insurance in underpinning safe and sustainable business models.
Aon plc (NYSE:AON) is a leading global provider of risk management, insurance brokerage and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 72,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative risk and people solutions. For further information on our capabilities and to learn how we empower results for clients, please visit: http://aon.mediaroom.com.