Businesses Face Evolving Cyber Risk
By Denise Johnson | May 5, 2017
Though several factors affect a firm’s cyber risk, people remain the critical vulnerability, according to Scott Stransky, assistant vice president and principal scientist with AIR Worldwide. In an audio interview with Claims Journal, he explained the evolving risk and what firms can do to mitigate cyber risk.
One cyber vulnerability global businesses face is the risk of a security breach. Stransky said it is likely the most well-known type of attack.
“This is still happening today, but cyber has expanded quite a lot from then,” said Stransky.
Another risk is from ransomware attacks, which tend to occur frequently but demands are usually for low dollar amounts.
Stransky said business interruption is a key driver of losses from cyberattacks. He described two memorable cyber events against Dyn and Amazon. Dyn’s cloud and email service was attacked last year by a botnet that used Internet of Things devices to maliciously call its service repeatedly. Earlier this year, Amazon’s web service was down for about four hours. Neither event lasted long enough to trigger coverage, Stransky said. However, AIR ran each event through its cyber model to see what the estimated costs would be if each attack had lasted longer. If both outages had lasted a day, the model estimated Dyn’s cyber event would have caused about a half a billion dollars in losses, while Amazon’s cyber event would have likely caused $3 billion in losses.
Important factors that contribute to a company’s cyber risk vary, Stransky said.
Internal factors include:
- People – considered a critical vulnerability.
- Company processes – for dealing with a breach or attack should be well-defined.
- Technology – which includes using better firewalls, more security, etc.
External factors include:
- The type of data that is stored, like health records and credit card information.
- Whether a firm’s system is connected to other companies.
- Aggregation – what happens if all the information is in one place and a cloud provider goes down.
Cyber risks continue to evolve, Stransky said. For example, as more household items connect to the Internet of Things, susceptibility to a cyberattack increases.
There’s quite a bit companies can do to limit the risk, Stransky said. He said businesses can buy insurance to mitigate the consequences and gain financial remuneration.
In addition, firms can utilize air-gapping services, corporate training and limit file sharing. Employee training can assist in reducing the risk of an attack that results from a successful phishing scam. Employers can limit file sharing, reducing the chance of a virus or malware embedding in their systems.
Besides evolving risks, global companies need to consider new regulations. The European Union is imposing new general data protection laws next year, said Stransky. The laws will require fines of up to four percent of a company’s annual revenue in the event a data breach occurs. Australia is another country that will introduce data protection laws.
Stransky said cyber can be viewed as a better risk to have because it can be mitigated more than some other property risks, like hurricanes or earthquakes. A computer system doesn’t have to be completely dismantled to make fixes, he said, unlike a building damaged in a hurricane.