Cybercrime is on the rise. According to Symantec, more than 1 million people are victims of cyberattacks every day, at a global annual cost to consumers of almost $113 billion.1 The cost to businesses is even greater. A recent study sponsored by McAfee, a subsidiary of Intel, put the global figure at more than $400 billion annually.2 And, of course, beyond the dollars, the cost in reputational damage, consumer confidence in the brand, and time to recovery can be enormous.
While major high-profile security breaches, such as those recently suffered by Target and Home Depot, make the biggest splashes in the news, the attacks are not limited to national and multinational companies. For example, the largest online breach targeting credit card data in Australia’s history occurred in December 2012, when criminals attacked 46 small and midsize businesses—the majority of which were service stations and individual retail outlets.3
The principal lesson to be learned is that companies of all sizes are vulnerable to cyberattacks. Unfortunately, many don’t view themselves that way because they believe they are too small to be targeted. But from a risk-management perspective, that is exactly the wrong attitude to take.
Because of the devastating impact that a major breach can have—on both the top and bottom lines, on the brand, and along many other dimensions of the business—and because of the increasing likelihood that such an event may one day occur, it is prudent to rank cyberthreats as one of the three largest areas of exposure for essentially every business. As such, thwarting cyberattacks, as well as planning for how the company will respond in the event of a successful major breach, should be a C-suite-level concern, and not something relegated to the IT department and then promptly forgotten until it’s too late.
An Ounce of Prevention
A first step in assessing your company’s exposure to cyberthreats is to conduct a thorough inventory of your data-collection and data-storage protocols. What kind of data do you have? How is it being protected? In addition, what does the threat environment look like for your company and industry? How frequently are your systems being attacked? How about your competitors’ systems? According to The Wall Street Journal, immediately after Target made its data breach public, executives at Home Depot began conducting a threat assessment of their company’s exposure to a similar attack, and soon afterwards began implementing heightened security measures across the organization. Unfortunately, as we now know, hackers were able to infiltrate Home Depot’s systems before these steps could be fully put in place.4
Fortunately, the majority of attacks are not as sophisticated as those that struck those two major retailers. In fact, most cyberthreats do not target a specific company, and they can be stopped by the use of basic IT security measures, including up-to-date antivirus software and robust firewalls. However, as noted above, it is highly prudent to be prepared to defend against more dangerous efforts—and to think about what to do should a major breach occur.
Business Continuity and Risk Transfer
A key step is to build cyberthreats into your company’s business continuity plans, alongside other kinds of potential major disruptions. How would your business function if it suddenly lost access to critical data? What kinds of plans are currently in place for dealing with a major data breach? Running scenario-based drills to test the impact and response times to various types of breaches will aid in identifying where your company’s greatest weaknesses are, so that they can be adequately addressed. As Home Depot’s example demonstrates, it’s never too early to start.
There may still remain areas where, for various reasons, risk cannot be managed internally. In this case, the best decision may be to transfer the risk via a cyber-liability policy. These policies should be viewed as a supplement to, and not a replacement for, good risk management policies. But they can provide a vital source of liquidity in the days following a successful attack.
By taking cyberthreats seriously and building them into your business continuity plans and practices, your company will be better positioned to survive a major cyberattack and get back to normal business operations quickly.
1- 2013 Norton report, published by Symantec Corporation. Accessed online on Sept. 12, 2014 at http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=norton-report-2013
2- “Net Losses: Estimating the Global Cost of Cybercrime.” Published by the Center for Strategic and International Studies. Accessed online on 9/12/14 at http://csis.org/files/attachments/140609_McAfee_PDF.pdf
3- Matthew Clarke. “Cyber attacks: It’s not a matter of if but when.” Insurance & Risk Professional, June/July 2014. Accessed online on Sept. 12, 2014 at http://content.yudu.com/Library/A2vnli/InsuranceampRiskProf/resources/36.htm
4- Danny Yadron and Shelly Banjo. “Home Depot Upped Defenses, But Hacker Moved Faster.” The Wall Street Journal, Sept. 12, 2014. Accessed online on Sept. 12, 2014 at http://online.wsj.com/articles/home-depot-upped-defenses-but-hacker-moved-faster-1410564218?mod=djemalertNEWS.