This month global professional services firm, Aon, published their 2020 Cyber Security Risk Report. It details some of the unexpected ways that cyber risk impacts organisations around the world. The report discusses its findings broken down into six key areas where organisations are overlooking cyber risk, as well as how to protect them – intellectual property, mergers and acquisitions, retirement, executives, computer crime, and the corporation. This post presents a summary of the report’s findings.
Intellectual property are assets that are intangible, and include patents, trademarks, copyrights, data rights and trade secrets. According to Aon’s report, the value of intangible assets held by the largest companies by market cap increased from $9.3 trillion to $25 trillion (figures in USD) from 2005 to 2018. Intellectual property is very important to the innovation and growth of an organisation, and is often overlooked when conducting cyber risk assessments. The IP Commission in the United States estimates the annual cost of IP theft to be more than $225 billion and could be as high as $600 billion. It is estimated that the value of trade secrets represents one to three percent of the United States’ GDP.
The key to protecting IP is to first identify and evaluate all critical assets within the organisation, then identify where these assets reside. From here, appropriate measures should be taken to protect these assets and thier location both physically and digitally. The use of advanced control technologies and processes such as access control, monitoring and logging, and encryption should be used in doing so. Also, proper management of employees can reduce the likelihood of unauthorised access and theft from within the organisation. This can include robust training and promoting strong security culture by encouraging good security practices in the workplace. Intellectual property insurance coverage can help with the financial burden of IP theft. However, an established incident response plan will prove to be extremely valuable in the event of data breach.
Mergers and Aquisitions
Mergers and acquisitions (M&A) also go unnoticed when conducting risk assessments. 2014 to 2017 saw a 96 percent increase in mergers and acquisitions globally, and over the last two years, 50,000 M&A transactions announced worldwide saw a total value of $3.5 trillion. Despite these huge numbers, only 10% of deals globally included specialist cybersecurity due diligence during the deal process. In a recent case example, a breach in a technology firm resulted in the final purchase price of the firm being reduced by $350 million. The target company may not disclose, or even be aware of any security issues that may impact the acquiring company post-deal. In today’s regulatory world, this could mean substantial fines later down the line.
It is critical that cybersecurity is considered during the deal process, and a thorough evaluation of the target company’s cybersecurity posture is conducted, ideally by a neutral third-party assessor, who will not just look at data breach risk, but examine the entire cybersecurity scope of the target organisation. This should include but not be limited to: evaluation of governance and policy for cybersecurity management, assessment of existing vulnerabilities, personnel training, risk management approach and incident response.
The report also discusses an area of cybersecurity that is very rarely talked about in the industry – retirement. People in the workforce spend their entire working lives contributing to funds that set aside money for retirement. Employers will almost always outsource this service to a third-party retirement fund agency, who will manage the funds appropriately. Retirement fund agencies (known as Super Funds in Australia) are responsible for managing vast sums of money, and this is often overlooked when conducting a cybersecurity assessment of third-party suppliers and providers. In the UK, it was found that almost a quarter of trustees of UK pension schemes have had no training on the risk of cybercrime.
Ensuring that an employer’s chosen Super Fund exhibits good cybersecurity practices and is transparent with customers is crucial. This can be achieved by conducting a gap assessment, where vulnerabilities are identified, along with all protections that are in place to protect data from unauthorised access. Following this, a risk mitigation plan and incident response plan should be developed and deployed. Finally, an evaluation of risk responsibility and risk transfer options is critical.
The next weak area of cybersecurity that is often overlooked is the executive team themselves. It can be easy for the team responsible for making large decisions, especially on cybersecurity, to look at themselves as a large security risk. C-level executives are often specifically targeted by cyber-attacks, often because executives are high-profile, and may not be as IT-savvy. Executives may also have access to a lot more confidential information, which is very valuable to a potential attacker. It is also common for attackers to target the financial accounts of executives due to their wealth.
C-level executives are 12 times more likely to be targeted in a cyberattack, but the attack surface extends beyond the organisation. They could be targeted on a more personal level by compromising friends or family to gain closer access to the executive. For this reason, protective measures must also extend beyond the organisation into the executive’s personal life. Cybersecurity training of the C-suite as well as personal friends and family is paramount. Utilising security tools in the home, such as VPN and password managers can be a huge help. Another protective measure to note is personal cyber insurance to help mitigate the impact of identity theft and confidential data compromise.
The fifth risk that the report covers is Computer Crime. While the report so far has discussed how computer crime as a whole can exploit certain business processes and personnel, computer crime itself is often not looked into in great detail by many organisations globally and is worth mentioning on its own, especially the rate at which it is increasing in prevalence. In the US, victims in California lost more than $450 million through cybercrime. For businesses, the risk is just as great, if not greater. Scammers are becoming more sophisticated and evolving their techniques every day, and organisations must keep pace if they wish to avoid attack. Currently, Business Email Compromise (BEC) and Email Account Compromise (EAC) are growing at a staggering rate, as well as ransomware extortion. BEC / EAC has reportedly cost more than $12 billion globally in the last five years by exploiting compromised financial information to steal funds, and ransomware is expected to cost $20 billion in 2021 alone.
A proactive cybersecurity and fraud risk assessment, combined with a gap analysis, can help identify vulnerabilities in an organisation and help identify risk. Financial theft losses via BEC / EAC can be mitigated by putting in place a procedure for verifying new customers prior to any financial transaction. Furthermore, continuous cyber education is absolutely critical. The importance of good security culture, such as password habits, safe online browsing and identifying illegitimate emails and malicious attachments will greatly reduce the attack surface.
Finally, the corporation itself is at risk. Cyber-attacks can have a very large impact on the value and reputation of an organisation. Customers can be lost, investors can lose confidence, supply chains can be damaged. All of this can reflect very poorly on not only the corporation, but those running the corporation. In Aon’s 2019 Risk Report, they discussed that the board of directors is increasingly liable for cybersecurity via fiduciary duties and companies risk facing class actions, regulatory fines and costs associated with investigations in response to cyber breaches.
This final risk requires an all-encompassing approach to cybersecurity. A thorough assessment of all data that requires enhanced protection and governance should be conducted. Quantifying the financial impact of a cyber-attack is crucial for not only protecting against it, but developing a response plan should it occur to lessen the negative impacts. Insurance can also play a helpful role in protecting companies from the liabilities that may come with a cyber breach, as well as providing services to help recover more quickly from the impacts of a breach.
Protecting against the risks discussed in Aon’s report is not quick, cheap or easy to implement. It takes significant investment from an organisation to properly implement a strong suite of protections that will help protect an organisation from the impacts of an attack. This is where Agilient’s expert consultants can help. We specialise in delivering agile and resilient security solutions that are custom-tailored to your organisation. If you’d like to learn more about how we can help, contact us today.
Author: Jack Schofield, Agilient Consultant