When it comes to cyber risk, business leaders at international risk analytics firm, Cyence, have dubbed 2017, “the year of the hurricane.”
The rise of the Internet of Things, increased automation of industrial controls and supply chain management, dependency on cloud infrastructure, sophisticated ransomware and the level of our interconnectivity means cyber is no longer just about data protection. Cyber risk now strikes at the core of business operations for anyone connected to the internet, regardless of the size or scope of their business affairs.
If the last 12 months or so have demonstrated one thing in the world of cyber risk, it’s that no one is immune. If you’re a small Canadian business selling professional services in Canada or internationally, you’re at risk. If you sell goods online, you’re at risk. If you rely on manufacturing, energy, supply chain, online retail platforms, or have cloud data storage, you’re at risk. If you have employees, cyber risk should be top of mind. Cyber risk is now a key concern for any business that uses the internet and should be part of your overall risk and cash flow management strategy.
1 – Internet of Things
The number of devices connected to the internet – labeled the Internet of Things (IoT) — is growing at an astonishing pace. By 2020, the number of IoT devices is expected to reach 200 billion, up from two billion in 2006, according to global research firm, International Data Corporation.
Every device is a point of entry for a hacker. This also means that every interaction your employees have with the internet has the potential to lead to a breach. In fact, most cyber risk stems from employee behaviour.
According to PricewaterhouseCoopers (PwC) Canada Global State of Information Security Survey 2018, 63% of Canadian business leaders say employees (current and former) have been the estimated source of cyber breach occurrences.
Employee activity ranges in scope. In some cases it’s as simple as sharing password information or inadvertently opening fraudulent emails that look legitimate. It could also be lack of awareness around basic security processes like software updates. In other cases, former or disgruntled employees have been known to legitimately leak trade information to make money or seek revenge.
Despite the human component, where cyber security does exist, most companies are relying purely on technology to assess, monitor and control cyber risk.
The PwC survey reports the following processes as the most used by Canadian companies to identify cyber risks in business systems:
- Penetration tests – 40%
- Threat assessments – 37%
- Vulnerability assessments – 41%
- Active monitoring of information security intelligence – 38%
“Generally speaking, most people are focusing on firewalls and/or monitoring electronic data systems to see which files are being accessed or downloaded,” says Dr. Helen Ofosu, HR Consultant and Psychologist at I/O Advisory Services, who has been researching the convergence of cyber and human resources (HR). “It’s not just technology and software that drives these things; it’s human behaviour.”
“As part of cyber risk management, companies should be involving HR who has been trained by somebody who understands the human aspects of these breaches,” says Ofosu. “The problem is that although the cyber security experts acknowledge that humans are the weakest link, there are few people who understand how to address this problem. Consequently, they are overlooking entire categories of human behaviour that can’t be easily measured by IT systems and solutions.”
2 – Automation of business processes and operations
What types of devices do you have connected and how do they impact the essential operations of your business? Beyond the number of connected devices, automation of business processes means critical components of your firm’s affairs are vulnerable to cyber disruption. The huge advances and rapid adoption of technology, including artificial intelligence, security monitoring, autonomous vehicles, machine learning, digital currency, cloud computing and analytics are sources of efficiency. But if they are central to the functioning of your business, they need to be considered as part of your overall enterprise risk management plan.
49% of Canadian business leaders understand that emerging technologies can disrupt operations or manufacturing, according to PwC Canada’s survey.
3 – Ransomware is developing as fast as the countering technology
It’s hard to imagine a year where the UK’s health service, the largest credit agency in North America and Amazon get taken down by hackers. The reality, however, is that ransomware is getting more sophisticated, hackers are better funded and their motivations are complex. It’s no longer just about stealing data, it’s about disruption. And with a significant spike in ransomware payouts since 2016, extortion is also a factor. If players in the supply chain and major retailers are vulnerable, the potential for trickle down to smaller businesses is real.
“Here’s the grim reality of the business,” says Tim Truman, Cyber Security Architect at SC Canada Services Inc. “If somebody wants you bad enough and they have the time, the money, the resources, the bodies and the expertise to throw at it, you’re had, that’s just a given.”
Although there have been few high profile breaches in Canada, research from the Canadian Internet Registration Authority (CIRA) suggests Canadian firms are significantly at risk.
“Canada receives 7% of large DDoS attacks over 10 GBps, giving us the dubious ranking of 5th in the world (Arbor Networks 12th Annual 12th Annual Worldwide Infrastructure Security Report),” reports CIRA in its Fall 2017 IT security threat review.
4 – Our interconnectivity means we’re only as strong as the weakest link in the supply chain
In its 2017 survey of more than 2,000 U.S. companies, global insurance broker Willis Towers Watson found there is evidence that cyber risk management hasn’t become the high-level corporate priority that it should be. Despite more than 85% of business leaders surveyed citing cyber security as a top priority for their company, just 11% said they’d actually “adopted and articulated a cyber risk strategy.”
Of those who had a strategy in place, less than a third (28%) said they had effectively communicated the cyber risk strategy with stated objectives and goals to employees. Just 8%, meanwhile, reported to have embedded cyber risk management within their company culture.
Regardless of how seriously Canadian companies are taking cyber risk – and we still have a long way to go—we are only as strong as the weakest link when it comes to cyber.
It was a year that began in October 2016 with a massive distributed denial of service (DDoS) attack on Dyn’s servers in New Hampshire. Mirai malware infected mobile devices across the globe, from digital video recorders to smartphones, effectively turning them into a botnet army that would go onto flood and overload Dyn’s servers with queries. The resulting multi-hour blackout in North America and parts of Europe on business platforms like Amazon, Netflix and PayPal, cost an estimated US$110 million in business interruption losses for dependent companies.
In February, 2017 Amazon Web Services, a key cloud provider for tens of thousands of companies, and a hub for millions of users across the world, was hacked. The four-hour shutdown cost dependent S&P 500 businesses, alone, approximately US$150 million.
As the year progressed, the nature and size of attacks grew and shifted. In May, a patch vulnerability at credit agency Equifax leaked data of 143 million Americans and 100,000 Canadians.
In June, after being struck by malware virus NotPetya, “Ukraine’s Chernobyl Nuclear Power Plan went offline, India’s largest port was brought to a standstill, and a number of global companies were impacted,” writes George Ng, the Chief Technology Officer and Co-founder of Cyence and his colleague, Philip Rosace, in Marsh and McLennan’s 2018 Cyber Handbook.
NotPetya triggered a multi-day, $300-million shutdown of operations for A.P. Moller-Maersk, the world’s largest container shipping firm, causing major supply chain disruptions around the world. US-based FedEx was hit by NotPetya in September and suffered $300 million in business interruption, and crippled deliveries for businesses that rely on the service.
“Like a natural disaster, these events affected wide swaths of enterprises by failures in common points of dependency,” write Ng and Rosace in the Marsh report.
Glossary of cyber risk terms
Distributed Denial of Service (DDoS) attack – If you use the internet on a regular basis, there’s a good chance you’ve done a search and been denied access to the web page you’re looking for.
The internet is a massive network. When we type in a web address or use a search engine, our “query” is transformed into data; data packets that travel across the network to reach the intended destination.
Hackers have figured out ways to intercept queries on the network to redirect traffic. In some cases, they divert traffic away from a site (and sometimes toward their own dummy site) to steal or manipulate data. But we’ve started to see more examples where masses of queries are directed at a single site at once within less than a second. The server overload not only has the potential to trigger a costly shutdown, but it can also leave those servers vulnerable to data theft.
Internet of Things
The Internet of Things (IoT) refers to any device that is connected to the internet, beyond traditional computers and laptops. Built upon smartphone and tablet technology, some examples of IoT for personal use include cars and GPS, refrigerators, household furnaces, watches and Fitbits. In the business world, we’re seeing a rise of IoT camera surveillance and remote monitoring of industrial systems. IoT technology has developed rapidly in the past five years.
A botnet refers to an IoT device being taken over by a hacker, usually unbeknownst to the device’s owner. In DDoS attacks, Botnets are used to send millions of queries to a particular website simultaneously to overload servers of the hacker’s target.
Have you ever received an email that looks like it may be from a legitimate source, like your bank or your boss, asking you to do something or share some kind of private information? This is called phishing. These fraudulent emails are a tactic used by hackers to try to induce people to inadvertently share information or take some kind action to help the hacker toward their end goal.
This is a fancy term for a virus — software that’s designed to do something bad to your computer or your network.
Ransomware is a particular type of malware, which, in effect, kidnaps your data and holds it hostage. In the same way an abductor of a person might demand money or some kind of action in exchange for the release of the abducted, the criminals won’t release your data until you pay up.
As the literal name would suggest, a patch is a program designed to fix a hole or a bug in a software to make it more resilient to attack.