It is growing increasingly difficult for businesses to know friend from foe when it comes to something as simple as reading or responding to an email from a trusted advisor. In just one incident, revealed by cyber security firm FireEye this December, a group of hackers infiltrated at least 100 businesses in the U.S., gathering sensitive data that reportedly has the potential to affect global financial markets.
According to FireEye, the group it has dubbed Fin4 has been in operation since at least the middle of 2013, and has mostly targeted businesses in the pharmaceutical and healthcare industries, and advisers to companies in those sectors. All but three of the affected businesses are listed on NASDAQ or the New York Stock Exchange.
Exploiting trust-based vulnerability
The Fin4 attacks, which rely primarily on emails received from seemingly credible sources, and are composed using the vernacular of investment banking, reveal just how vulnerable businesses are and how persistent cyber criminals can be.
Cyber attack: Is your business ready for the inevitable?
“If it’s online, it is being attacked,” says Gary S. Miliefsky, CEO of SnoopWall, a mobile anti-spyware company, and member of the advisory board of the Center for the Study of Counter-Terrorism & Cyber-Crime at Norwich University. “If the information is important, it will at some point be stolen. Companies need to beef up their proactive defenses and begin training their employees to better understand best practices in securing mission-critical information.”
While Fin4 targeted the pharmaceutical sector and its associated vendors, no business is immune to cyber crime.
“You simply can’t look at cyber liability as just one component of your risk management,” says Lori Bailey, Global Head of Special Lines, Zurich Insurance Group. “It needs to be integrated into every aspect and operation within the organization.”
If you’re in business, you’re exposed
Financial institutions and the retail, healthcare and hospitality sectors are frequently the big-game targets of mega-breaches. “But if you look at the overall exposures of any industry, they are all interconnected by technology. It doesn’t matter what sector you’re in—manufacturing, utilities, agriculture, telecommunications—every industry has exposure to cyber liability,” says Bailey.
Interconnected risks in a digital economy
While awareness is growing of the potential for cyber-related risks to cause reputational harm, for example, the overall operational risks around cyber liability and data security can be more difficult to grasp.
“Many businesses are more aware of the reputational risks emanating from a cyber event than they were a few years ago,” says Bailey. “However, businesses simply don’t know where or when a breach is going to take place and what the reputational damage could be, so they need to be prepared.”
Businesses can also find managing regulatory compliance to be challenging. In the U.S. alone, 47 states have data breach notification laws, and no two are exactly alike. Most countries have some type of data protection law, too. For a small or midsize business that lacks deep resources, this can be a major roadblock to establishing the type of holistic risk management strategy necessary to operate a global business in the modern world.
Result only as good as the plan
Genius, it has been said, is 99 percent perspiration and 1 percent inspiration. Cyber risk management borrows a bit from that adage. According to Zurich’s Bailey, how well a business reacts to a cyber breach is often a reflection of how well it has prepared for one.
Risk Talk: A strategic approach to cyber risk
Lapses in internal business practices remain a primary source of “open doors” for cyber infiltrators. As such, staff education and awareness, particularly for high-risk individuals with access to valuable information, is vital. Bailey recommends that businesses start their preparation by taking a deep look at their internal risk management procedures, examining every aspect of their overall operations for potential breaches. This process will take in everything from data management to clean-desk policies. “It could also include a number of different board-level assessments of where external data and business interruption risks may be exposed,” she says. “The next step is to determine how those exposures can be addressed through cyber risk mitigation tools or the procurement of insurance.”
It’s not surprising that demand for cyber liability insurance rose by 21 percent across all industries in 2013 compared to 2012, according to a Marsh Risk Management Research report. While this type of insurance has traditionally been more popular within sectors with a large volume of customer, patient and/or corporate information, as well as a higher level of governmental oversight, its appeal is broadening.
In an ideal world, when a breach occurs a business reacts by activating its business continuity and disaster recovery plans. A team of experts in forensics, PR, crisis management and legal issues is tapped to determine the what, where and how of the breach; to try to mitigate potentially devastating reputational damage; and to handle the necessary notifications of customers and other concerned parties.
Experts at the ready
At most businesses, however, that type of expertise isn’t sitting in the next cubicle. “One advantage of working with a global insurer is that they often have existing relationships with vendors across all industry segments,” says Bailey. “You don’t want to have to try to establish these relationships during a crisis. If you can immediately pull together an experienced team when time is of the essence, you can bring some peace of mind to the process and help mitigate the damage as soon as possible.”
A global insurance partner can also help manage the complexities of regulatory compliance. “An insurance policy can give you the ability to have a panel of experts help you comply with regulations,” says Bailey. “A midsize business, for example, may not have the resources to determine their contractual obligations. That’s where a team of experts can help.”
While cyber security and risk management experts agree that almost every business will eventually be the target of a cyber attack, they also agree that being proactive is the best course of action.
“Enterprises need to be prepared not only from a defensive standpoint, but also from an offensive standpoint,” says Chad Fulgham, Chief Strategy Officer at the cyber security firm Tanium. “They should take the stance that they are already a target and have already been breached. This mentality and culture provides the necessary sense of urgency that facilitates the adoption and prioritization of both preventive and defensive measures.”