Cyber age reality is shaped by the inherent asymmetry between attackers and defenders. While attackers enjoy the ease of concealing and disguising identities, the widespread availability of data encryption utilities and the proliferation of cyber-attack tools, defenders, on the other hand, face the daunting challenge of detecting advanced, subtle and persistent threats, which are extremely hard to trace.
As this reality becomes clear and as the cyber world is increasingly demystified, cyber professionals as well as “laymen” realise that total prevention of cyber risks is impossible. There is no Star Trek style “Deflector Shield” one can use to secure data, networks and other cyber assets, completely eliminating the chance of a successful cyber breach.
The threat of a successful breach is not subsiding; on the contrary, it is intensifying. Symantec’s 2014 Internet threat report dubbed 2013 as the “year of the mega breach”, stating that “2011 saw 232 million identities exposed, half of the number exposed in 2013. In total, over 552 million identities were breached in 2013, putting consumer credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, login, passwords, and other personal information into the criminal underground”. Similarly, the report quoted a 500% increase in Ransomware attacks in 2013 (a ransomware is a malware, which restricts access to an infected computer system, and which requires the payment of a ransom in order to remove the imposed restrictions). Despite the world’s focus, in the wake of the Snowden leaks, on cyber espionage and governments’ reach into cyberspace, cyber-crime remains a clear, imminent and spreading danger.
It is not only that the number of attacks is on the rise, but also the number of affected industries and types of businesses. No longer the plight of only the ICT industry, cyber risks are now also tackled by the healthcare, media, professional services, insurance, education, finance, retail sectors and many others. As attackers start to target the Internet of Things (affecting smart TVs, cars, medical and even industrial systems), the looming cyber threat is fast becoming an issue even for what were considered “low tech” industries. It should be noted that even the more sophisticated and targeted cyber operations are no longer limited to government espionage and big enterprises. According to Symantec’s report the risk of being targeted by Spear-Phishing attacks are quite similar for large enterprises (39%), medium enterprises (31%) and Small enterprises (30%). According to a Marsh Risk Management report, cyber criminals unleash 3.5 new threats every second targeting small businesses.
One might acknowledge the increasing presence of cyber crime and cyber threats, but are there real world damages being incurred? The answer is most definitely “Yes”. A Marsh Risk Management analysis, of the percentage of companies affected by leading causes of supply chain disruptions, shows that technology outages outpaced adverse weather as a major disruption in 2012 and that data breaches and cyber-attacks collectively were more disruptive than fire (!) and civil unrest. The real world effects of materialising cyber risks can’t be ignored. E&Y’s 2013 Global Security Survey stated that 70% of organisations surveyed indicated that information security policies are owned at the highest organisational levels.
So, should we raise a “white flag”? Pull out the dusty old typewriter? The answer is obvious – we can’t afford to. As a result, many organisations and enterprises, of all sizes, around the world, have adopted Cyber Risk Management Policies. These policies enable managing cyber risks as an integral part of the corporate governance, risk management, and business continuity frameworks. A sound cyber risk management policy provides a framework for managing and mitigating cyber risk throughout the enterprise. By adopting industry standards and best practices, by prioritising ICT assets, including the data of organisations and customers, and identifying the risk they are exposed to and by assessing the impact of a cyber breach for each of them, organisations can prioritise their cyber security investments and adopt a more comprehensive and cost effective policy. Cyber risk management policies also outline the incidents response plans for different cyber breach scenarios, making sure all relevant stakeholders integrate and coordinate their response.