Many multinational companies—across all sectors—continue to underestimate the risks posed by cyber-crime, leaving themselves vulnerable to a security breach.
Even as cyber-attacks on corporate networks become epidemic, such risks have done little to illicit the type of alarm that senior leadership teams should be sounding, says Sean Joyce, former FBI deputy director and now principal of PwC's U.S. Advisory Forensics Services practice. “It's a 21st Century risk that a lot of companies have not really come to grips with,” he says.
A global fraud survey conducted by Ernst & Young supports that assertion. According to the report, 48 percent of 2,719 executives in 59 countries polled said they see cyber-crime as posing a “low risk” to their business. “I find that a little bit surprising,” says Peter Trahon, executive director of EY's Fraud Investigation & Services practice.
The EY report also found that the higher up the chain of command, the lower the perceived threat. According to the report, 50 percent of chief executive officers view cyber-crime as a high risk, compared to 61 percent of chief compliance officers.
One reason why many senior leadership teams continue to underestimate the risks posed by cyber-crime may have to do, in part, with who owns the risk. “A lot of corporations view this as a technical problem, and it's buried in an IT silo,” Trahon says.
Many senior leaders also mistakenly assume cyber-security is an IT issue. “Consequently, IT folks think the same way,” Trahon adds. As a result, when a breach occurs, while IT does everything in their power to fix it, the senior leadership team doesn't always get wind of that breach. “The chief executive officers and other senior leadership just aren't properly informed,” he says.
The perceived threat level of a cyber-attack also varies significantly among different industries. In the EY report, out of 264 respondents in the financial services sector, for example, 66 percent said they believe cyber-crime poses a high risk. Most companies (60 percent out of 184 respondents) in the technology and communications industries also said cyber-crime poses a high risk.
In comparison, industries that perceive cyber-crime as posing a low risk to their business include manufacturing and chemicals (53 percent); oil, gas, and mining (51 percent); and consumer products and retail (49 percent).
These differences in perceived threat levels may be a reflection of each industry's level of maturity in the cyber-security space. “Some companies do a really good job at managing the risk,” Joyce says. “Others don't do as well.”
“Each industry needs to look at its particular data assets and find out which threat is most likely the highest risk to it.”
—Peter Trahon,
Executive Director, Fraud Investigation & Services,
EY
Where companies are located around the world also plays a role in their level of concern. For example, 70 percent of respondents in the United States said cyber-crime poses a high risk. In comparison, less than 35 percent of respondents in countries like Singapore, the Netherlands, and Canada see the risk as high.
Among companies that did experience a breach, most respondents admitted that they did not disclose it. According to the EY report, 74 percent of respondents said they had not made any public disclosure in relation to the breach, despite the increasing pressure from regulators to make such disclosures.
Types of Threats
The type of cyber-criminals that pose the biggest threats to each company varies by sector. As the EY report cautioned, “developing an effective response is difficult without a proper understanding of the potential sources of attacks.”
A REAL AND GROWING RISK
Respondents to EY's fraud survey of 2,700 executives were asked: How much of a risk would you say cyber-crime poses to organizations like yours?
*The “none of the above” and “don't know” percentages have been omitted to allow better comparison between the responses given. Source: EY.
According to the EY report, 48 percent of respondents said hackers and hacktivists pose the biggest threat to their business. Other concerns included competitors (34 percent); employees or contractors (33 percent); and organized crime (25 percent). Only 6 percent expressed concerned about foreign nation states.
“Each industry needs to look at its particular data assets and find out which threat is most likely the highest risk to it,” Trahon says. For example, one of the biggest threats to the financial services and retail industries is organized crime, whose target is often personally identifiable information.
“There is an entire underworld of selling stolen information,” says Brian Finch, a partner in the law firm Pillsbury. “It's a pretty sophisticated black market.”
For companies in the technology and communications industry, whose biggest risk is the theft of intellectual property, a huge concern is “independent groups that are operating with the blind eye of the host government,” Finch says.
All sectors should be concerned about inside threats, with a particular eye toward “privilege user abusers,” Trahon says. It's not unusual for executives to want to have full access to the company's internal network, “when, in reality, they really shouldn't have it,” he says. “It just increases vulnerabilities.”
Managing the Outcome
Cyber-crime is a lucrative business. In fact, a recent report conducted by McAfee and the Center for Strategic and International Studies puts the estimated annual cost to the global economy from cyber-crime at more than $400 billion.
THREATS FROM WITHIN AND WITHOUT
Respondents to EY's fraud survey of 2,700 executives were asked: Thinking of the following sources of cyber-crime, which one or two of the following, if any, concerns you the most?
*The “none of the above” and “don't know” percentages have been omitted to allow better comparison between the responses given.
Source: EY.
“The availability of malware and cyber-criminals for hire is enormous, and the likelihood of being caught, much less suffering any sort of punishment, is minimal,” Finch says. “We're always going to be subject to attacks.”
All that companies can do is manage that outcome in the best way they know how, security experts say. How successful a company is in achieving that outcome is measured by how quickly the company can identify the source of the attack, and how quickly it can respond, Trahon says. It needs to have a plan on what to do before, during, and after a breach occurs, he says.
Trahon recommends that companies follow the Framework for Improving Critical Infrastructure Cybersecurity, released by the government's National Institute of Standards and Technology in February 2014. The Framework is intended to provide companies with a set of industry standards and best practices for managing their cyber-security risks.
Cyber-security mitigation is not a static process. “Companies need to realize that they have to constantly revisit their cyber-defenses,” Finch says. It has to be a process that entails the continuous reevaluation of risk and adjusting mitigation measures accordingly.
No comments yet