Alarmed by the recent news of cyber-attacks on Cayman banks and other high-profile businesses, many boards of directors may be asking their executive teams, “Could it happen to us?” Unfortunately, at most companies, the short answer may well be that it’s already happening. First in a series.
Although not all cyber-attacks make headlines news, they can hurt a business in any number of ways, from simply vandalizing its website to shutting down networks, perpetrating fraud, and stealing intellectual property. The financial impact can be significant: the statistics from Symantec placed the cost of global cybercrime at $114 billion annually – $388 billion after factoring in downtime. McAfee estimates that $1 trillion was spent globally for remediation.
On a local level, we are all aware of social engineering attacks that have been conducted in the Cayman Islands and which have led to significant financial fraud that cost users thousands of dollars. In addition, according to research conducted by Microsoft Digital Crimes Unit, servers located in the Cayman Islands were responsible for the third-highest number of Nitol-controlling attacks following China and the U.S. (Nitol is a backdoor type of malware that infects users through a variety of common mechanisms). This finding is supported by a McAfee Threats Report which shows Cayman as one of the five main locations in Latin America that hosts servers with malicious content.
Cyber-attacks can also deal a serious blow to a company’s brand and reputation, with potentially significant consequences. Concerns about data security may prompt current and prospective future customers to take their business elsewhere, and negative reactions among investors may even drive losses in market value.
Managing risk a challenge
What’s more, because cyber threats are both a relatively new and constantly evolving source of risk, many organizations may not be as effective at managing cyber threat risk as they are at managing risk in other areas. Statistics from previous years show that a significant percentage of data breaches are discovered not by the victimized organization itself, but by external parties such as law enforcement or third-party fraud detection programs. As the researchers put it, “If [an] organization…must be told about [a breach] by a third party, it is likely they aren’t as knowledgeable as they should be with regard to their own networks and systems.”
With likelihood, impact, and vulnerability around cyber threat risk being potentially high, boards of directors have good reason to take their questions beyond “Could it happen to us?” to “How likely is it to happen to us, and what are we doing about it?” More formally, the central issues for boards to consider are exposure and effectiveness: “What is our company’s level of exposure to cyber threat risk? And how effective is it at keeping that exposure to within acceptable limits?”
The frequent challenge, however, is that putting the questions in these high-level terms may not always elicit useful answers. That’s because, unless a company is already quite sophisticated in its cyber threat risk management practices, it may not yet have the risk management infrastructure and/or governance elements in place to support a meaningful conversation. For instance, leaders may not have agreed on risk definitions, risk tolerances, or metrics specific to cyber threat risk. Or the company might lack the technology tools to effectively collect and report cyber threat-related information.
Fortunately for companies that are still in the process of ramping up their cyber risk threat management capabilities, their boards don’t need to be completely in the dark. If your organization isn’t yet in a position to discuss exposure and effectiveness as such, we recommend, as a first step, asking your executive team four questions about specific information security practices that we believe are essential to effective cyber threat risk management. Though these measures aren’t all there is to fighting cyber threats, they represent the core elements of an effective cyber defense.
The four questions that will be the focus of our “Risk intelligent governance in the age of cyber threats” series are:
- How do we track what digital information is leaving our organization and where is that information is going?
- How do we know who’s really logging into our network, and from where?
- How do we control what software is running on our devices?
- How do we limit the information we voluntarily make available to a cyber-adversary?
Alexandra Simonova is a manager with Deloitte Enterprise Risk Services. Information in this series is based on the Deloitte white paper “Risk intelligent governance in the age of cyber threats.”