While until recently companies asked whether there’s a chance that they can find themselves in the crosshairs of hackers, now they are posing the question, "when?".
During the meeting of the BPCC’s Technology, Media and Telecoms (TMT) policy group held on 3 November 2015 members had the chance to learn about the various threats and the possibility of risk management, connected with the company's presence in the virtual world.
Roman Skrzypczyński, PwC’s cybercrime issues expert, began by showing the scale of the problem. The number of cyber attacks is increasing dramatically. It grew by 48% from 2013 to 2014. The business sectors at greatest risk to hacking are: financial services, energy, technology and healthcare. "Given the amount and the importance of information which are processed by those sectors, it is right that there should be so much attention given protecting it," he said.
To emphasize the massive scale of failures associated with poor securing the data processed, Mr. Skrzypczyński presented the results of 20 simulated attacks carried out on Polish companies. Most of the companies were found to have very poor security measures – the average time it took to break into their systems was a mere four hours. In addition, only 10% of organisations detected and responded to the attack. What was perhaps most shocking, 100% of employees revealed (consciously or unconsciously) a password. Improving security comes from a heightened awareness of who is usually a cybercriminal, and what errors are the most common. Perhaps it’s not so obvious, but 70% of abuse is committed by the current (often unconsciously) or former employees, and only 35% by skilled hackers: "An employee is just a medium for transferring malicious software," said Mr Skrzypczyński, who ended his presentation by pointing out the most important things to keep in mind: speed of response, assessment of the scale of crime, damage limitation, coordinated communication. Above all, he said, "if we can not secure experts to look after the information and data used by us, employ an external contractor. The measurability of material loss is difficult to determine – it can be huge; but the damage done to the company’s image is far worse. This is war! They will attack us, and we must be able to react,” he added.
The second speaker, the special guest at the event, Mark Camillo, head of cyber for EMEA at AIG UK, addressed the topic of cybercrime in the context of insurance. He said: "Because the insurance market of cyber attacks has greatly developed, the nature of threats has also changed. As the global economy is increasingly moved online, cyber disruptions are causing huge financial losses and loss of reputation. Initially they focused on data leaks, while nowadays such insurance also covers issues of business continuity interruption, theft of intellectual property and many others.” Thus, so-called ‘cyber-risk’ has evolved from something that only affects IT to enterprise-wide risk management that requires intervention at board level. According to Mr Camillo, the most important thing to do is to take measures to prevent hacker attacks and to raise awareness of the dangers of these crimes, not only among rank and file employees but also among board members. “As we learned from a survey conducted by AIG among scores of board-level executives, 50% of them had no idea of the scale of the consequences resulting from cybercrime. "And it is mainly board members who are affected by the consequences of such events," said Mr Camillo.
After the presentations, there was a panel discussion including both speakers, who were joined by representatives of law firm SafeLaw and IT services firm Support Online. The panellists agreed that awareness is the cornerstone for managing cyber risks. Apparently 90% of hacking attacks are carried out using social engineering, so ongoing training was needed, and employees would need to stick to previously established company policy company. Secondly, there is a need for better selection of employees during the recruitment process, and thirdly, to ensure adequate protection of both fixed and mobile devices.
There were many questions from the audience, so the formal part of the event ended, allowing participants to discuss issues informally and exchange business cards over a networking lunch.
We encourage you to look over the attached presentation and to take a ‘guided tour’ of cyber security issues, created to help businesses get a deeper understanding of the risks.