In the business world, we have always had to deal with risk management. There is no business with no operational, financial, market, strategic and reputational risks associated with it. But as we have become digitalized, more interconnected and dependent on technology and information, our attention has turned to cyber-risk. And associated with cyber-risk, there is cybercrime, where crimes threaten technology and information.
It is not easy to understand. In the past, we considered this the responsibility of technology areas, but we have since realized cyber-risk runs right through our organizations, always there. Its impact can be devastating and may have operational, financial and legal effects, as well as—what is most difficult for us to gauge—disastrous consequences for our reputations.
It is a matter that affects us all and in which the ultimate responsibility lies with managers and directors. For this reason, we must make an effort to understand it and prepare to tackle its effects.
Where does cyber-risk start?
Cyber-risk starts in the use of technologies and information, digital strategies and the ecosystem to which we are interconnected via the internet. We use information, operational and business technologies to automate and control what we do, develop products and services and direct our relationships with clients and third parties. Technologies disruptive to traditional business models give rise to new models, such as Cloud platforms, the Internet of Things (IoT), artificial intelligence (AI), machine learning and automation, leading us into a new industrial age. There is blockchain, which allows us to distribute processing more securely. There are platforms that allow us to have almost anything as a service (XaaS), including virtual assistants. There is interaction with devices by touch and voice, as well as visual.
Cyber-risks also arise from all the data we store and handle—mostly obscure data, which is to say, data we do not use or understand the meaning of. It is calculated that obscure data represents almost 70% of data stored today: e-mails, documents, contracts, text, structured and unstructured data. Data that incorporates hidden messages we do not analyze or interpret where, by using big data tools, artificial intelligence, natural language processing and analytics, we could generate information that leads us to take actions. Highly provocative data for cyber-crime.
The risk is the possibility of financial loss, operational disruption or reputational damages, caused by faults in technology and information, systemic vulnerabilities or weaknesses or attacks by third parties, including internal individuals, states, hacktivists and hackers, among others. Ransomware, botnets and malware are terms we now read and hear in the media, that even we non-techies are able to understand.
How big is cybercrime today?
There is no homogenous legislation for disclosing breaches and incidents or reporting associated losses—incidents that compromise the integrity, confidentiality or availability of information. In breaches, information is disclosed to unauthorized third parties. Huge figures are estimated. In Verizon’s recent study, Data Breaches Investigation Report 2018, it is calculated that in 2017, there were 53,000 incidents and some 2,216 breaches in 65 countries, motivated primarily by financial interest (76%). Breaches vary according to the industry, but among the most affected were governments, the health sector, financial services and manufacturing. No geographical area or industry was spared. Almost three-quarters of breaches were committed by outsiders, and, although an incident only takes a few seconds, it takes us months to realize we have been affected. It is also rather disquieting that 4% of employees in our companies still click on malicious emails and phishing attempts.
It has been suggested that cybercrime will be more profitable than drug trafficking and the sale of illegal drugs, causing damages to the tune of $6 trillion by 2021
It has been suggested that cybercrime will be more profitable than drug trafficking and the sale of illegal drugs, causing damages to the tune of $6 trillion by 2021, which is double the 2015 figure.1 These are truly alarming numbers.
What must we do?
We must make the management of cyber-risk a priority in our corporations’ daily work and the responsibility of the senior management or board of directors.
Convert people into our first line of defense, raising awareness of the huge challenge we face and making them parties to our protection and detection activities
We must also:
- Ensure we have a clear cyber-risk program, starting with identifying the information and systems we want to protect: the crown jewels. Identify the associated risks and mechanisms for managing those risks, be it through mitigation actions, rejecting them or transferring them to, for example, cyber-risk policies.
- Focus not only on protecting information and technology, but also on strengthening our ability to detect, respond and recover, making ourselves resilient to possible incidents and breaches.
- Convert people into our first line of defense, raising awareness of the huge challenge we face and making them parties to our protection and detection activities.
- Store only the data strictly necessary to achieve our business goals, and control who can access it through strong authentication mechanisms. Encrypt as much as possible.
- Include cyber-risk management and cybersecurity in our strategy and make security part of the design and operation of everything we do.
- Do not forget the ecosystems used by third-parties, clients, suppliers and others. When we interconnect, the risk is aggregate, and as such, it increases the risk to our organizations.
Let’s work together, both public and private sector, since this is the most effective way to confront the enormous challenge we face.