Cyber threats are testing companies’ risk management. This is a particularly tough test, because a networked threat environment requires a networked defence – and a global threat requires global risk management.
This is the period when it will be decided which companies can protect against cyber criminals' attacks. "This has become an unprecedented security problem," says cyber risk engineer Peter Granlund of If's Risk Management. This was a view shared by the world's economic leaders at the World Economic Forum. Information systems are a critical part of any company's operation, and threats against them have grown.
According to studies, cyber risks are considered by many major companies as the most serious threat to operations. Companies are becoming more and more networked. Robots are controlling robots. New factories and production plants are fully automated. Operations are controlled by means of information systems and their backup systems.
"Understanding the effects of cyber threats on our own business is one of the main priorities of our large customers. In order to meet our customers' security needs, we have plenty of information in our Competence Center on what companies should take into account to improve their cyber safety," says Matti Sjögren, If's Nordic Liability Risk Management Specialist.
Recent years have begun with big questions about corporate cyber safety. These have been followed by one nasty surprise after another. Cyber risk engineer Peter Granlund gives us an example, which will be discussed in details in another article, Maersk Line attack, in this magazine. "For few days they had to return to handle everything by paper or Excel spreadsheets. At some of their container terminals it was impossible to handle goods. The financial impact was 300 million dollars in Q3".
According to Peter Granlund, companies' key jobs in our modern fast-moving world is to ensure that they have the right partners to fight against cyber threats. He also thinks every organisation should be able to respond to following questions about cyber securities:
“Companies must also raise their personnel’s readiness to fight cyber threats. The human factor must never be forgotten. When talking about cyber security, people often only focus on technology and forget about human activity,” says Senior Risk Engineer Erik Van Der Heijden of If's Risk Management.
Chief Information Security Officer Erka Koivunen of F-Secure Corporation said in the Risk Management Day event organised by If in March in Helsinki that previously hackers were motivated by the challenge of whether they could work their way in. If you could break into the information system of a major company, your prestige among your peers was guaranteed. This is no longer the case today.
Today’s cyber-criminals (states, criminals and terrorists) are skilled, have sufficient resources, and patience to perform highly successful attacks on consumers, businesses and governments around the world. Cybercrime is today Big Business, while the risk of attackers being traced and prosecuted is low.
One of the key factors is risk identification.
One of the key factors is risk identification. By a thorough assessment of risks and wise channelling of measures to stave off attacks you can improve security quite significantly without any major extra costs. Any resources thus saved can be used, for example, to make the personnel aware of any risks. And besides, few organisation have endless resources to improve their cyber safety.
On the other hand, nobody can promise 100 per cent security. "Organisations should first find ways to reduce risks for example by acquiring competences and services which would be too expensive to develop in their own organisation. The new phase requires new systems and efficient protection solutions. To fight cyber threats, you need reliable partners," says Erka Koivunen of F-Secure Corporation.
As cyber threats increase in number, frequency and complexity, it is more and more important to identify, understand and manage all aspects of cyber safety. It is a matter of ensuring continuity of your own operations. The attitudes of those who decide about investments may be one thing, but the risks may be of quite another nature. “Many can be under the misapprehension that a virus protection program bought 5–6 years ago can take care of the entire cyber safety issue, but the truth is something quite different.”
If's Risk Management's target is to do everything that its clients can find an optimal way to keep a variety of cyber attacks at bay. For this purpose, If's Risk Management has come up with a 25-point survey questionnaire to find out how companies deal with data security. The aspects focused on include Cyber Risk Management Organisation, awereness training, defence in depth, parch management process and business continuity plan.
Once a company’s data security is sufficiently high, we can help manage the remaining risk. ”Cyber security is extremely important and managing it has become a profession in itself with strategic, tactical and operational requirements to consider. The IT department is not the most likely candidate to handle cyber risk management”, says Peter Granlund. If can provide insurance solutions supporting our client’s management of risk. “Once a company is sufficiently prepared against cyber threats, we can insure the remaining risk.
A key product for industry is property and business interruption cover as part of property insurance which, if a cyber risk is realised, covers financial losses caused by business interruptions. Our comprehensive cyber insurance also covers, thanks to its various modules, losses caused to both yourself and third parties. EU’s General Data Protection Regulation (GDPR) will enter into force in May 2018, and the risk for compensation about loss of customer data will increase,” says Sjögren.
Harry Nordqvist