Cyber-crime is one of the fastest growing industries in the world. In the last year, it is estimated that cyber-crime costs business over $400 billion, including reputational damage, costs to remediate breaches and interruption to normal business operations. There is no doubt that the real figures are higher due to under reporting and it is projected to reach a staggering $2 trillion by 2019.
The risks arising from cyber-crime are clearly top-of-mind for the C-suite and those concerns are only likely to increase as the cyber-crime industry grows increasingly sophisticated. This rising level of concern reflects awareness that cyber-crime is no longer “just an IT issue”. The mode of business interruption may be through information technology, but the impacts are organisation-wide and have the potential to destroy businesses. Some estimates suggest that the cost of each individual hacked record to a business is $144. Considering most hacks are in the thousands to tens of thousands of records, businesses are at risk of spiralling damages arising from a cyber-attack. This picture is further complicated for the health care sector due to the sensitive, personal records involved and the additional duty of care around the management of these records.
Beyond the tangible costs to a business, the intangible damage arising from a cyber-attack can be far more damaging and long lasting. In highly regulated markets, such as the health care sector, there is a strong likelihood of increased regulator attention following a cyber-attack. The potential for malicious attacks to alter records further complicates the nightmare attack scenario for hospital executives. Further, damage to goodwill, reputation and customer confidence has the potential to undermine immediate and long-term revenue.
The most common types of cyber-attacks fall into the categories of ransomware, data theft and malicious interruption. Whilst the technical details of these attack modes are relevant at the operational level, at the board-room it is necessary to understand the type of attack mode as it has significant bearing on your response options and the management strategy you implement.
IT security requires ever-present vigilance and an organisational culture that emphasises the critical role of the individual in keeping systems and data safe. Nonetheless, as the scale of global cyber-crime indicates, a single lapse or moment of inattention is all that is needed for an attack to succeed. Prudent risk management seeks to pair reducing the likelihood of a risk eventuating with reducing the consequences when a risk does eventuate. Reducing the damage from a cyber-attack requires two broad strategies; appropriate insurance and strong crisis management control.
The complexity of managing a cyber-attack combined with the potential for significant tangible costs, makes the appropriate cyber insurance a key element of the cyber defence toolkit. Ideally this insurance will cover elements such as breach remediation, costs of business interruption, liability, fines and support for crisis management activities. Importantly, it needs to provide specialist IT security guidance. The executive team are not expected to be cyber security experts but are nonetheless required to make critical decisions under challenging circumstances.
To learn more about the steps to take to address a cyber attack follow this link.
This article is supplied by CGU Senior Specialist in Risk Consulting Lex Drennan, for APHA Major Sponsor Gow Gates.