What is cyber risk?
The term “cyber risk” relates to a loss due to either technical infrastructure (eg servers, databases) or the use of technology inside an organisation. This loss can take many forms, from a hacker draining a bank account to an employee accidentally exposing private data to site visitors.
While cyber risk exists in an almost limitless number of forms, it can be categorised broadly into four types, based upon intent and where the risk originates:
- Internal and malicious. This is generally a deliberate act of sabotage or theft by someone inside the company. It could be a disgruntled employee deleting or stealing data from the central system, or purposely installing viruses on company machines.
- Internal and unintentional. This stems from an employee making a mistake. Even the most well-intentioned and knowledgeable employee could accidentally disable a firewall or internal back-up system.
- External and malicious. A deliberate attack by someone outside the organisation, and the kind taken the most seriously. This could be infiltration of your databases by a criminal outfit or a denial of service attack by hackers to overload and shut down critical equipment.
What are the biggest threats when it comes to cyber risk?
We’ve defined cyber risk, but let’s go a step further and run through what these risks actually are. Here are some of the most dangerous threats out there:
Ransomware is a computer program planted in a company’s computer system and effectively blocks the company from accessing it. The perpetrators then demand a ransom to restore access to the data.
Ransom is a growing threat to both individuals and businesses in Australia, especially with ransomware kits becoming increasingly available on the darknet.
Cybercriminals usually demand payment via cryptocurrency, which is difficult to trace. They also keep the ransom amounts affordable so the victim is more likely to pay rather than go through the expense of having the ransomware removed. However, even if a company pays the ransom, there is no guarantee that their data will be unlocked.
2. Credential-harvesting malware
Credential-harvesting malware is a growing threat in the financial sector. This cybercrime targets smartphones and the data we store on them. This data includes:
- Financial information which criminals can use to commit fraud
- Personal information that they can use to commit identity theft
Two examples of credential-harvesting malware that have had a significant impact in Australia are Gozi and Mazar. Gozi is a well-known and widely distributed banking Trojan that has been a threat for several years now. Mazar is a type of credential-harvesting malware that affects Android devices and spreads via unsolicited SMS messages and pop-up downloads.
3. Social engineering
Social engineering occurs when cybercriminals grab sensitive information from companies by posing as representatives of legitimate organisations i.e the companies bank. Cybercriminals will typically make these requests using an email that contains official letterhead to help make the email appear legitimate.
Social engineering campaigns in Australia are very sophisticated, sometimes employing bogus phone calls as well as emails to give a sense of legitimacy. Cybercriminals target individuals as well as businesses, particularly those with limited knowledge of computers and social engineering.
4. Threats associated with outsourcing and supply chain
Companies that use outsourced providers are vulnerable because they often give these providers extensive access to the company’s networks and data. For example, the government may rely on a research firm to handle the publics data.
If a cybercriminal can compromise a service provider, they can potentially gain access to the data of some or all of that provider’s customers.
In the case of government customers, this could not only financially compromise people, but could also have serious security implications as well.
5. Personally identifiable information
Basic information such as a person’s name, address and birth date can be enough to commit identity theft. This is personally identifiable information.
Personally identifiable information is often held in large data warehouses by government and businesses. This data is valuable to cybercriminals as it can be used for fraud, identity theft and even ransom demands.
6. Malicious use of leaked tools
Due to cybercriminals maliciously sharing tools designed for network exploitation, the number of successful attacks on Australian businesses is likely to continue to grow. Other less skilful criminals use these tools to attack targets they have previously been unable to access.
As long as there is a dark web and skilled cybercriminals intent on malicious activity, these types of tools will always be available. The only protection that businesses have against them is to regularly upgrade their software and implement all security patches in an effort to try and stay one step ahead.
What are the consequences of cyber attacks?
As mentioned above, there are endless kinds of cyber attacks with a huge number of possible outcomes. Some of the consequences of cyber attacks are:
- Loss of important or confidential data
- Loss of customers due to data breach or negative media attention
- Loss of share value
- Business interruption
- Property damage
Who is responsible for managing cyber risk in a business?
Businesses often place the responsibility of cyber security entirely onto the shoulders of IT staff and select management figures. However, given the interconnectivity of the digital world, even personal failures staff members outside of technical employees and management can cause company-wide consequences.
For example: If an employee forgets to log out of a system, for instance, it can leave it wide open to data theft.
|1. Technical personnel and managers||2. Other staff|
|The list of people responsible for data security is long, and may include the following technical personnel:
||Outside of technical staff, responsibility could extend to:|
What is 'cyber risk appetite'
When assessing cyber risk and making decisions about cybersecurity, it’s important to understand that risk can never be fully eliminated, only reduced. Therefore, a company defining its cybersecurity policy needs to define its cyber risk appetite: how much risk the company is willing to tolerate, and how much the organisation is willing to spend to manage that risk.
There are several key questions to help an organisation’s important stakeholders determine their cyber risk appetite:
- What losses would be catastrophic?
- What can we live without and for how long?
- What information cannot be allowed to be made public or stolen?
- What could cause harm to employees, customers, and partners?
5 trends to look out for going forward
Cyber risk is already an immense concern, with the global cyber risk insurance market standing at around $2 billion in premiums. Already, cyber crime costs the global economy $445 billion per year. As our technology and lives become more and more interconnected, this figure is expected to grow in the future.
How might cyber risk change in coming years? Here are five of the most important future trends:
Top 5 trends
- The cyber insurance market could be worth over $20 billion by the year 2025.
- Liability and data protection are the biggest concerns right now, but business interruption cover will be increasingly sought over the next decade.
- Businesses will be increasingly exposed to supply chain risk. This includes digital and electronic interruptions of partners, contractors and other supply chain components.
- More sectors and institutions will seek cover for cyber risk, including transport, energy, utility, telecommunications and financial institutions.
- Catastrophic cyber loss is more and more likely. Governments and insurers themselves will need to work together to protect infrastructure.
Did you know that business insurance can cover cyber risk?
Modern business insurance policies offer options for to cover cyber liability. Find out more by speaking to a broker.