Recent, high-profile incidents show that every business is at risk of suffering a data security breach, regardless of size, resources or sophistication. To combat the risk, many organizations are taking steps to identify and secure organizational vulnerabilities, such as wireless networks, laptop computers, and even the office copy machine. However, a report by Zurich Insurance and the Atlantic Council suggests organizations must look beyond their own operations to truly recognize their exposure to cyber risks.
Businesses are increasingly using the internet and information technology functions to expand their operations and create opportunities. They are also increasing their exposure to external cyber risks that are often beyond their control. This is why businesses need to expand their horizon when evaluating and managing cyber risks. According to the report, businesses must consider these seven aggregations of cyber risk to fully understand their exposure.
- Internal IT Enterprise: Risks associated with an organization’s internal IT (hardware, software, servers, processes).
- Counterparties and Partners: Risks from dependence on or interconnection with outside organizations.
- Outsource and Contract: Risks from contractual relationships with third-parties (IT and cloud providers, legal, accounting).
- Supply Chain: Risks to supply chains in the IT sector and cyber risks to traditional supply chains and logistics.
- Disruptive Technologies: Risks caused by unseen effects from, or disruptions to new technologies (smart grids, embedded medical devices, driverless cars), or existing but poorly understood technologies (internet, networks).
- Upstream Infrastructure: Risks from disruptions to infrastructure relied on by economies and societies (electricity, telecommunications, financial systems).
- External Shocks: Risks from incidents outside the system (international conflicts, acts of terrorism, malware pandemic).
Despite the external risks resulting from increased outsourcing and interconnectivity, businesses are urged to continue taking steps to control their internal cyber risks. According to the report, there are a relatively small number of actions that every organization can take to protect against most cyber risks, such as:
- Implementing applicationwhite-listing to prevent systems from running programs that have not been pre-approved, such as malicious software
- Using standard secure system configurations to keep systems simple and easier to defend.
- Installing patch software for systems and applications within 48 hours of being released by the software manufacturers
- Controlling administrative privileges to only those who need it and can be trusted with it
The report also recommends that businesses:
- Expand their risk horizon to consider the seven aggregations of risk
- Have cyber insurance, particularly for third-party risks associated with data breaches or business interruption
- Deal with cyber risks at the board-level
Finally, the report states that resiliency is the key in a world where the number of cyber risks is increasing and the ability to control them is decreasing. To survive cyber threats and limit their impact, the report recommends that every business:
- Incorporate redundancies in critical systems
- Implement incident response and business continuity plans
- Utilize scenario planning and exercises to stay prepared
As we have seen, nothing is foolproof, so businesses should use insurance to protect against cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws.
Given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained. If you would like to learn more about insuring against cyber risks, contact us.
If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.