Businesses need to start taking their cyber exposures much more seriously, as hackers work harder than ever to breach defences and wreak havoc.
What hackers are trying to achieve, and what they’re capable of achieving, is frightening. Sure, mentioning the worst-case scenarios can seem like scaremongering to insurance-buyers – but brokers need to be explaining to clients exactly what can happen when their IT gets taken over.
David White, founder and COO at Axio, a cyber resiliency consultancy, speaking on a cybersecurity panel at RIMS in Toronto, said many people don’t know just how sinister – and well-organised –cyber criminals are.
“Ransomware is a risk that has dramatically grown over the last few years. There are folks that make a living on cyber crime … these are people going to work 9-5, whose job is to perpetrate cyber crime,” he said. “There’s an entire industry around this.”
Whether they’re working for shady underground organisations, as hackers-for-hire through the darkweb, as cyber terrorists, or for governments, there are constantly hackers at work in the world.
Some cyber catastrophes, like “NotPetya” this year, for example, began as a targeted attack in the Ukraine, but spread at lightning speed. It infected two million companies globally within two hours. What commercial customers need to understand is that the “it-won’t-happen-to-me” mentally is unsustainable in today’s cyber landscape – while you may not be the target, you may become collateral damage. And the harm you sustain could potentially cripple your business.
Globally, as a result of “NotPetya”, White said shipping company Maersk claimed $300 million in losses, pharma giant Merck claimed $300 million losses, and Fed Ex also claimed $300 million. And they were just three of the companies hit.
Furthermore, companies operating in industries where they do not believe they will be cyber-targeted can and will be targeted. Potentially, no-one is safe. A major recent trend in cyber extortion is the move from hackers to move away from data theft to holding companies to ransom with actual physical harm.
White and his fellow panel members outlined a number of real-world examples of companies who lost out to hackers in recent years. Among those included was a hacker who externally shut down all elevators in a series of old-age care facilities; and also hackers this year who broke into the IT system of an Austrian hotel and locked the doors to all rooms.
Cyber insurance policies can be tricky to sell, and many customers are reluctant to buy them, due to cost. White said risk managers needed to develop “cyber risk scenarios” for their companies, to help them figure out the level of coverage they need, instead of just using guess work.
“[They need to figure out] what could go wrong, develop estimates, and stress test their programmes,” he explained. “Then, with an understanding of an organisation’s [potential] losses, you know what coverage you need.”
Related stories:
Major hotel group announces hack
Equifax hack even worse than predicted