What is cyber risk, and why should I care?
Technology continues to develop in amazing, and sometimes alarming, ways. Today, our personal relationships, work schedules and business decisions not only make use of technological tools, they often rely on them, and this opens the door to intrepid hackers. Easy access to reams of sensitive information means more and more organizations are exposed to a range of cyber risks, from data theft and ransomware to corporate espionage – and they may not even know it.
The rise of cybercrime
In 2015, cybercrime became the second most common type of economic fraud affecting Canadian businesses, with 28% of all fraud coming through online sources. Since then, cybersecurity incidents continue to increase in strength and frequency, and in Canada, these attacks have skyrocketed 160% year over year¹.
The 2016 report from PricewaterhouseCoopers estimates that if the trend continues, one in three businesses could suffer some form of cyber attack. It gets worse: a recently released 2017 Symantec Internet Security Report points out that cyber criminals are setting their sights higher, and as their knowledge and approaches improve, they’re turning to fileless malware, increased phishing using HTTPS, and economic sabotage to extract more from their targets.
So, what can Canadian companies do to keep their assets safe? A sound understanding of cyber risk is a good first step, and knowing how and where your business may be vulnerable can help you steer clear of virtual criminals and their sneaky tricks.
What is cyber risk?
Cybersecurity incidents continue to increase in strength and frequency, and in Canada, these attacks have skyrocketed 160% year over year.
Cyber risk commonly refers to any risk of financial loss, disruption or damage to the reputation of an organization resulting from the failure of its information technology systems. Cyber risk could materialize in a variety of ways, such as:
- Deliberate and unauthorized breaches of security to gain access to information systems.
- Unintentional or accidental breaches of security.
- Operational IT risks due to factors such as poor system integrity.
Poorly managed cyber risks can leave you open to a variety of cybercrimes, with consequences ranging from data disruption to economic destitution. In many cases, businesses will also find themselves in the middle of a public relations nightmare as they struggle to recover lost assets and prevent further theft.
Determining your cyber risk
Whether you’re a small business or a multi-million dollar corporation, cybercrime could be lurking right around the corner. In fact, more small businesses are being targeted by cyber criminals than you might imagine, and without the right preventative measures in place, yours could be next. First things first: it’s time to get more familiar with the cyber risks you may be facing.
In many cases, the more sophisticated and extensive a business’ digital operations, the higher the cyber risk involved. The following are some elements that can increase cyber risk; consider which ones might apply to your company:
- Employees or customers accessing your system from remote locations.
- Staff using company-owned devices at their homes or while traveling.
- Employee access to administrative privileges on your network or computers.
- A Bring Your Own Device (BYOD) policy in the workplace.
- Public building access (without the use of an ID card).
- Employees using computers to access bank accounts or initiate money transfers.
- A lax policy when it comes to regularly updating passwords.
- Critical information that would be lost in the event of a network disaster.
- Neglecting to review your company’s cyber security policies over the last 12 months.
All businesses face the risk of a cyber breach at some point during their life cycle, but understanding your risk level – and where the threats could come from – can go a long way to preparing an effective response
How cybercrime targets businesses
Some of the biggest cyber threats stem from the move to new technologies, like the Internet of Things (IoT). As networks disperse and more devices develop greater connectivity, security measures will have to evolve, too. Here are a few common reasons businesses fall victim to cyber attacks:
Staff shortcomings can leave you vulnerable. Cyber criminals can come from anywhere – and they could be closer than you think. More company employees are carrying out cyber attacks, and given their access to sensitive information, they have the ability to cause significant damage. However, even well-intentioned employees can be a weak link in your business: phishing scams and malware attacks can spread quickly when email attachments are opened and shared haphazardly.
Cloud computing challenges security. The workforce is more mobile than ever, and when operations move off-site, traditional security measures will fall short. As more businesses connect to the cloud, data can become more difficult to defend with firewalls, and cyber criminals are increasingly attracted to the potentially lucrative target. WiFi and cloud-based security services are gaining in popularity.²
Ransomware can infiltrate networks. Whether or not your business is connected to the cloud, ransomware is a serious threat that can quickly derail your operations. Recent events involving the WannaCry ransomware infestation around the globe shows just how much damage this sort of a computer worm can do: once the attachment in the phishing email is opened, the worm spreads through the local network and to remote hosts, encrypting data until the ransom is paid.
Tips to help reduce your risk of cyber attacks
Educate employees. In today’s workplace, security awareness training isn’t a luxury – it’s a necessity. Take the time to teach employees:
- How to recognize cyber threats.
- How cyber attacks operate.
- How to react in case of a cyber attack.
Simulating a phishing attack can be a very effective teaching tool. You should also consider developing a clear BYOD policy, along with WiFi best practices and a social media policy, to share with your staff.
Segment networks. Worried about who’s accessing your files? Manage user privileges to ensure only authorized employees are able to access certain data sets, and remember to communicate any changes you make to the network.
Update software. Keep all software up to date so there are fewer weaknesses for criminals to exploit. It’s important that you apply patches and other software fixes as they become available: keeping your software up-to-date won’t protect you from all attacks, but it may be enough to block automated attacks, and at least discourage many hackers from proceeding.
Invest in a good defense system. Apply a defense in depth approach to your IT system. Using multiple layers of security controls – firewall, intrusion prevention system (IPS) and intrusion defense system (IDS) – you ensure your system has adequate backup in the event that a vulnerability is exploited. The idea is to have an appropriate form of defense against any sort of attack that comes your way.
Stick to your policies. Compiling a list of policies and procedures to keep your business safe is a start, but you’ll have to commit to enforcing those policies if you want to defend against cybercrime. Here are some helpful tips:
- Create protocol for when a company device has been lost or stolen.
- Perform audit checks to ensure policies are being followed.
Be prepared for an emergency. You can’t predict when an attack will come, so it’s always a good idea to have backup and recovery strategies in place and ready to go. Encrypt all sensitive information when storing it or transferring it, but also have a contingency plan in case systems go down. The more closely you monitor your systems, the quicker you’ll be able to respond to attacks.
Cyber risk is growing as cybercrime evolves, and it has never been more important for a business to have a system of precautionary measures in place. Risk management is critical, but it’s not a guarantee against cyber attacks: if your risk assessment indicates your business may be more vulnerable than you thought, it’s worth looking into specialized coverage for some peace of mind. Consider adding Cyber Risk Insurance to your policy, which can provide expert service to help handle the fallout of a privacy breach, along with coverage to help you recover in case a cyber attack brings your operations to a standstill.
Ready to take action with tailored coverage? Request a quote!
¹ Media Release, PWC, January 2016
² Security in 2017 and Beyond: Symantec’s Predictions for the Year Ahead, Symantec, December 2016