The Cybercrime Research Institute advises governments and Fortune 500 boards on strategic questions related to cyber security and risk management.
How is your organisation approaching cyber risk?
Marco Gercke: The Cybercrime Research Institute advises governments and Fortune 500 boards on strategic questions related to cyber security and risk management. We hear companies asking if they’re in the focus of offenders—the answer is yes. There is no company that isn’t at risk. We provide companies with support and provide help with how the board can be involved and the steps they need to take.
Peter Hacker: Cyber is not a new enterprise risk in itself, it is not a new issue or threat to corporations. Over the last couple of years, developments and unparalleled pace relating to digital technology, including disruption and artificial intelligence, means that everything has become unprecedentedly interconnected.
So, the threats have a different spike and dimension now compared to what they used to be in the past. Our company provides insightful threat awareness help. There is a lot of information out there, but sometimes it is very difficult information to extract on an actionable intelligence basis for board members or key decision makers. What they really need is to understand the consequences of their decisions in cyber crime and cyber security. It’s not always easy to understand—information remains abstract until an incident occurs—that’s why you have to have insightful information or actionable intelligence to make a decision.
How can hackers infiltrate different organisations?
Gercke: It depends on the type of organisation. If your organisation is disconnected from the internet there will be fewer possibilities than there are at a company that is completely connected.
Hackers can attack from the outside, through the internet, through emails sent to certain people and through devices, but it can also be through insiders. It is easier to prevent or fight against attacks from the outside than those on the inside.
Hacker: Percentage-wise the majority, approximately two-thirds, of these attacks are triggered from the inside.
What are the kinds practices that can be put in place to prevent cyber attacks?
Hacker: There is no clear definition of what ‘cyber’ really is, apart from being an intangible risk class. However, in any case, companies need to think beyond this ‘buzz word’. If you look into the market value of a corporation, it is driven by the data they hold, the customer relationships, the brand, the reputation and the intellectual property (IP) they have.
They are all intangible aspects—they are assets. And if you look at cyber, it has very often been defined by security data breaches, or loss of revenue on a non- physical basis. Organisations need to recognise that this particular risk class is an enterprise-wide risk. Enterprise-wide risk means it can’t be prevented. If people invest enough money they will find a way to get into a company’s system.
Companies have to focus on mitigation because of risk finance, and this is where you can potentially use captives. The other element is risk transfer, or risk control, as well as claims management. If you understand your company’s risk and available information, you can control it, mitigate specific implications, and convince key decision makers of the long-term value of enterprise-wide risk management and insurance.
If a cyber attack were to happen, how long would it take before the hacker has control of the whole system?
Gercke: An attack could take one second. If the hacker finds the right way in then the hacker has full control. There are certain possibilities where the likelihood of a hacker getting full control is higher. For example, if he is able to capture the account of a privileged user such as a system administrator.
However, it can vary, and sometimes it can take a long time. Hackers might move step by step, first moving into the system then analysing it, which can take weeks and sometimes months.
If a hacker were to plan an attack, what types of corporations are classed as most vulnerable and most at risk?
Gercke: There are two motivations, some hackers want the attack to hit as many people as possible, which means they will aim for 100 to 200 victims within a certain timeframe. In this case they will look for common figures and what kind of technology the company is using.
The more dangerous are the individual attacks. The offenders focus on one target, it could be the organisation’s patents or IP in general, or confidential information. Another example is when a small to medium-sized enterprise might need information from a competitor, and will break into this specific network.
Any company that has anything of value that can be threatened through a cyber attack is at risk, but each company needs to go through an individual risk assessment, to discover how big each risk is.
Hacker: If you look at the various industries, for example, a beer brewery and a bank, the risk landscape severities and frequencies are totally different. Again, if you look at a telecommunications company and a consultancy company, you have different risks and implications to businesses.
This is why it is so important to understand, capture and address threats across enterprise-wide risk management. You need to thoroughly understand your processes, because only by doing so will the company know what its net risk exposure is and what’s ultimately at risk. Once the company has completed this process it can think about risk transfer as well as deciding on whether to use a captive. Captives are a good example how companies can use a structure—cell captives, for instance, are great for unparalleled risks such as cyber risk.
Can a cyber attack ruin a brand?
Hacker: Yes, it can potentially ruin a brand or reputation, in particular for start-up companies such as fast-growing, young, IP rich companies, although it would certainly depend on the scale and extent of the attack.
Over the last three years there have been some big prominent attacks against major brands that have happened in the US and more recently in Europe. Contrary to in the past, the implications were not just massive contractual, reputational and financial damages. This time, key decision makers had to leave as a consequence of the cyber crime and cyber security incident.
The intruders were ultimately targeting the brand itself. If the intruder is able to seriously hit the stock value of the corporation, then it has been a success and will possibly trigger a ‘domino effect’.
The bigger the intangible assets value, the more they will try and hit patents, IP, customer data, revenue streams and ultimately their brand and reputation. If you lose the brand and reputation, you lose potentially everything in the long term, and will most probably be confronted with legal actions from your shareholder base.
To leave readers with one fundamental comment: there is no ‘Golden Panacea’ in cyber crime and cyber security risk. However, it is important to understand and appreciate both these risks, the threat awareness and opportunities of enterprise risk management across the wider organisation, and to address them with actionable, insightful intelligence led by the board. Such an approach might well be their ‘life insurance’ if worst came to worst.
