These days, we are hearing more and more about cyber attacks. Chances are some company, somewhere this week will announce to its clients and customers that its system has been breached and its data compromised. The motive behind the attacks could be fraud, economic espionage or just plain destruction of information.
Whatever the motive, cyber attacks are making headlines, but are companies paying attention?
The prevailing thought among management has been that cyber attacks are problems faced by banks, governments, retailers and a few unlucky others — that the odds are small that other industries are being attacked. Many managers assume that only companies collecting credit card data are vulnerable. However, we now know, no company or industry is safe. In fact, there are indications that the prevailing perception is changing.
A survey done in late 2012 about cyber risks sponsored by American International Group (AIG) confirms that business leaders view cyber risk as a top business concern, with great potential for reputational and financial loss. More than 85 percent of the 258 decision-makers surveyed said they were very or somewhat concerned about cyber risks, compared with the group’s response to six other areas of risk, including income loss (82 percent of executives were very or somewhat concerned), property damage (80 percent), and securities and investment risk (76 percent).
The causes of cyber breach are many, whether from human error when employees mismanage sensitive data or from hackers looking to disrupt the operations of less protected companies. The worldwide web has made cyber risks a multinational issue. Many criminals now operate anonymously thousands of miles away from their targets using sophisticated hacking techniques.
When companies think of sensitive data, they may primarily think about transactional information involving clients (e.g., credit card information) or medical information (e.g., hospital medical records). However, even if the company conducts few transactions via the internet, hackers are still interested in the information they hold. For example employee data, such as names, addresses and personal ID numbers is highly desirable. Hackers also look for competitive intelligence, such as a company’s intentions to make an acquisition, new product designs and patent files.
Breaching a network to steal sensitive information has become its own business with the stolen information being bought and sold every day. Cyber thieves have even been known to have customer service capabilities and money back guarantees on stolen information.
While the cyber landscape is rapidly evolving, companies need to stay ahead of the curve. Companies should begin by assessing risks, needs and budgets and developing an enterprise-wide management and response plan that is aligned with the business strategy. Engaging employees to educate them about their role in mitigating cyber exposure is critical. In addition, companies should build secure and robust information technology (IT) systems. This is considered to be the most powerful first line of defense against cyber threats.
Companies should include cyber liability as part of a company’s comprehensive data protection strategy. A cyber insurance package helps a company manage through a breach by paying the costs of notifications, public relations and other services to assist in mitigating a cyber incident. A global economy means multinational companies must comply with local regulations even when their headquarters are based far away. Companies can address the appropriate regulatory, legal, investor and auditor concerns when cyber risk management starts from the top down – with the board of directors bringing together a multi-disciplinary team to establish and track against a best practices approach.
Companies must remain vigilant against cyber attacks. Companies that are able to plan ahead, determine how they will respond in advance will be best positioned to prevent or protect the business from a cyber attack. Eliminating threats is impossible, so managing them and protecting reputation without disrupting business innovation and growth should be top management issues.
It starts with paying attention to the fast changing landscape of cyber attacks.
Javier A. Mercado is regional vice president for financial lines, American International Group, Inc. (AIG) Property Casualty, Latin American and the Caribbean.