Cybercrime is on the rise, and the impact can be significant. In 2015, there were over one million web attacks against people each and every day according to Symantec.1 And, over the past year, Norton reported that consumers lost nearly $358 on average per person.2 The cost to businesses is even greater, and experts expect the cyber crime costs to quadruple from 2015-2019. According to research conducted by Juniper, it is predicted that by 2019 the cost of data breaches will rise to $2.1 trillion globally. 3 And, of course, beyond the dollars, the cost in reputational damage, consumer confidence in the brand, and time to recovery can be enormous.
While major high-profile security breaches, such as those suffered by Target and Home Depot, make the biggest splashes in the global news, the attacks are not limited to national and multinational companies. For example, the largest online breach targeting credit card data in Australia’s history occurred in December 2012, when criminals attacked 46 small and midsize businesses – the majority of which were service stations and individual retail outlets.4
The principle lesson to be learned is that companies of all sizes are vulnerable to cyber-attacks. In fact, Microsoft research found that "20% of small to medium sized businesses have been targeted for cyber crimes."5 Unfortunately, many don’t view themselves that way because they believe they are too small to be targeted. But from a risk management perspective, that is exactly the wrong attitude to take.
Because of the potentially devastating impact that a major breach can have – on both the top and bottom lines, on the brand, and along many other dimensions of the business – and because of the increasing likelihood that such an event may one day occur, it is prudent to rank cyberthreats as one of the three largest areas of exposure for essentially every business. According to Symantec, in 2015, a record-setting total of nine mega-breaches were reported. These breaches exposed 191 million records.1 As such, thwarting cyber attacks, as well as planning for how the company will respond in the event of a successful major breach, should be a C-suite-level concern, and not something relegated to the IT department and then promptly forgotten – until it’s too late.
An Ounce of Prevention
A first step in assessing your company’s exposure to cyberthreats is to conduct a thorough inventory of your data collection and data storage protocols. What kind of data do you have? How is it being protected? In addition, what does the threat environment look like for your company and industry? How frequently are your systems being attacked? Your competitors?
Fortunately, the majority of attacks are not as sophisticated as those that Target and Home Depot in past years. Most cyberthreats do not target a specific company, and they may be stopped by the use of basic IT security measures, including up-to-date antivirus software and robust firewalls. However, as noted above, it is highly prudent to be prepared to defend against more dangerous efforts and think about what to do should a major breach occur.
Business Continuity and Risk Transfer
A key step is to build cyberthreats into your company’s business continuity plans, alongside other kinds of potential major disruptions. How would your business function if it suddenly lost access to critical data? What kinds of plans are currently in place for dealing with a major data breach? Running scenario-based drills to test the impact and response times to various types of breaches will aid in identifying where your company’s greatest weaknesses are, so that they can be adequately addressed. As Home Depot’s example demonstrates, it’s never too early to start.
There may still remain areas where, for various reasons, risk cannot be managed internally. In this case, the best decision may be to transfer the risk via a cyber-liability policy. These policies should be viewed as a supplement to, and not a replacement for, good risk management policies. But they can provide a vital source of liquidity in the days following a successful attack.
By taking cyberthreats seriously and building them into your business continuity plans and practices, your company will be better positioned to survive a major cyber-attack and get back to normal business operations quickly.
To read more on this topic, please download the PDF below.