Over the past decade, technological developments once considered the stuff of science fiction have become commonplace. From smartphones to smart homes – with online thermostats, doorbells and even fridges – the way we live, work and do business has become more connected. And with that connectivity comes increasingly sophisticated cyber risks.
Indeed, cyber vulnerabilities can appear across an organization’s people, operations and supply chains to affect customers, threaten business continuity and hurt balance sheets.
Jason Hogg, chief executive officer at Aon Cyber Solutions, says, “In 2019, the greatest challenge organizations will face is simply keeping up with and staying informed about the evolving cyber-risk landscape.”
While the cyber threats that organizations face vary, there are eight key risk areas businesses should consider: technology, supply chains, the internet of things (IoT), business operations, employees, mergers and acquisitions (M&A), regulations and boards of directors.
To effectively address the eight areas of cyber exposures, an organization’s risk management must be proactive: focusing on sharing threat intelligence and collaborating within and across enterprises and industries. Cyber diligence is an unending, dynamic effort to identify vulnerabilities, mitigate risk and appropriately prepare a response when an attack occurs.
No Free Ride: Technology Can Be A Blend Of Opportunity And Risk
From autonomous cars to the rise of ride-sharing services, more businesses offer a broad choice of products and services over a network. These “anything as a service” – or “XaaS” – businesses highlight the rapid pace of digital transformation. And as XaaS companies gain traction, cyber risk will continue to evolve.
Stephanie Snyder, senior vice president and commercial strategy leader at Aon Cyber Solutions, notes that today, every company – whether they know it or not – is a technology company, simply due to the way they use technology to evolve their business. Therefore, as organizations embrace digital transformation, leaders should aim to understand the associated risks and plan to address them.
Third Party As A “Backdoor” To Cyber: Risks Can Lurk In Supply Chains
As supply chains become more complex, and businesses rely on more third-party vendors, cyber risk can creep into the supply chain – and the threat can be significant. “A breakdown in the supply chain – no matter who is at fault – can grossly degrade operations and impact revenue,” says CJ Dietzman, managing director and security advisory practice leader at Aon Cyber Solutions.
A 2018 Ponemon Institute survey found that 59 percent of companies in the U.S. and the U.K. experienced a data breach through a third party, but only 35 percent of those surveyed described their third-party risk management as highly effective.
“As supply chains become increasingly connected, leaders will take a harder look at their vulnerabilities. It will no longer be a ‘cyber’ risk, but an overall operational risk in which cyber will play a role,” states Snyder.
Managing The Unknown: The Growth Of Connected Devices
As IoT becomes more ubiquitous, each connected device can present its own security risk. According to another 2018 Ponemon study, 38 percent of organizations that kept records of IoT-connected devices said they had up to 1,000 such devices. Meanwhile, the average number of devices in the workplace among those surveyed was more than 15,000.
Most companies, however, don’t adequately keep track of IoT devices. Ponemon’s survey also showed that 21 percent of companies suffered an attack associated with unsecured IoT devices over the past year.
Snyder stresses that it’s critical for companies to break down silos within the organization to be ready for an IoT-related risk. “From IT to risk management to general counsel, key stakeholders need to be in lockstep to protect the organization,” she adds.
Anticipating Business Disruption: Operations At Risk
While technology can increase a company’s operational efficiency, it can also open up an organization to the risk of business disruptions through malware, ransomware or other threats. The quest for increased connectivity – and the risks associated with it – is not limited to the private sector. More local and national governments are planning smart cities, meaning that infrastructure must now be built or updated to tackle cyber risks.
Chad Pinson, president of engagement management at Aon Cyber Solutions, notes, “While this connectivity increases operational efficiency, it also creates new security risks by greatly expanding the attack surface and making it easier for attackers to move laterally across the entire network.”
People: Innocent Or Malicious, Employees Pose A Major Cyber Threat
A major cyber risk that companies face – whether through malicious intent, simple human error or negligence – is their own employees. “Employees remain one of the most common causes of security breaches,” Snyder says.
Cybersecurity Insiders’ 2018 Insider Threat report found that 53 percent of companies surveyed had experienced an insider-related attack over the past year. Meanwhile, those organizations were nearly evenly split over whether they worried more about employees inadvertently exposing the business or deliberate malicious behavior. Dietzman says, “It’s becoming ever-more important to establish a comprehensive approach to mitigate insider risks – including strong data governance, communicating cyber-security policies through the organization and implementing effective access and data-protection controls.”
Impact On Deals: The Cyber Threat To M&A
M&A may bring businesses new opportunities, but they can also bring cyber risks that threaten the deal’s value. In 2017, a deal to acquire an internet company was delayed – and $350 million was slashed off the original asking price – when details of past cyber attacks were revealed.
Companies might excel at enforcing their own cyber-security policies, but there’s no guarantee their M&A targets are doing the same. The short timelines associated with many M&A deals can make it even more difficult to adequately assess a target company’s possible exposures. “As deal-making continues to grow, the related cyber-security risk might be growing even faster,” Dietzman says. “Deal-makers must make plans to address this growing challenge.”
Regulatory Risk: A Growing Element Of The Cyber Threat
The EU’s General Data Protection Regulation (GDPR), which can impose a fine of up to 4 percent of annual revenue, highlights the growing pattern of regulations seeking to protect consumer data. And governments around the world are following suit. In 2018, the U.S. Securities and Exchange Commission required companies to provide cyber-security disclosures in their financial statements. Also in 2018, California passed an IoT privacy law as well as a consumer privacy act similar to the GDPR.
Increasing regulations aim to hold organizations – and their C-suite and boards – accountable for the protection of consumer data. This is a growing challenge for companies around the world, especially multinationals that will have to adhere to various cross-border regulations.
As Cyber Risk Grows, So Too Does Executive Exposure
Cyber threats are increasingly a concern for board members, both for the risks they pose to the organization and for the personal exposure directors might face. In fact, shareholder suits have already targeted directors following various high-profile data breaches, and the trend is likely to increase. Directors and officers also face potential regulatory liabilities associated with new cyber-security rules.
In the face of these exposures, directors are becoming more actively involved in their organizations’ cyber-security efforts. Still, more effort is required at many organizations, including an ongoing budget commitment to cyber-security activities.
Successful Cyber Security Is A Top-Down, Enterprise-wide Effort
To minimize cyber exposures across the eight areas of risk, organizations must be committed to addressing any threats. This begins with strong support from the board and C-suite for enterprise-wide cyber-security policies and procedures.
“Cyber-security efforts should span the organization, with companies continually assessing the changing threat landscape and taking steps to address evolving exposures,” says Aon’s Hogg. “It is incumbent upon organizations to understand the risks they face and to address them on a proactive basis.”