NBR Business Reporter talks to MD Ian Pollard about the impact of cyber attacks. “No one can hide from cyber but what matters is bouncing back”, Delta Insurance chief executive Ian Pollard says.
Even if they load the right software, brief their staff and don’t click on strange emails, companies must prepare for a cyber-breach. It’s inevitable.
The headlines show companies being hit every day by cyber-criminals, from the well-defended to the wide open. Even Facebook can’t hold on to its data – and don’t get experts started on the weak security of government databases.
NZI statistics estimate New Zealand registers approximately 108 cyber-attacks on its companies a day while across the globe 44 documents are stolen each second of every day. Those are big numbers, and no one is immune.
Bolstering these sobering statistics, a new white paper by Delta Insurance (Embracing Cyber Risk Management) shows one in five Kiwi SMEs are targeted by cyber-actors at an average cost of about $19,000 a breach. Although SMEs constitute more than 87% of the New Zealand economy, the paper shakes its metaphorical head that only 6% of them hold cyber insurance.
Delta Insurance chief executive Ian Pollard told NBR the game of cat-and-mouse against the cyber-attackers isn’t over – there are still excellent reasons to update antivirus software – but companies are slowly becoming aware that “it’s just a matter of time” before they are struck.
“Well-resourced cyber-criminals and nation-states will find a way into your systems, there’s no doubt about that. But a big part of security is how you bounce back with the right plan beforehand, and the right culture to deal with these issues and face up to them,” he says.
An IBM/Ponemon Institute poll found most organisations are confident they can withstand cyber-attacks (72%) – despite an almost identical number saying they had only informal or even no plans for responding to incidents (77%).
Mr Pollard says while companies may not stop someone getting in, good security could “slow them down or persuade them to move on to another target” if there are appropriate levels of risk management.
“But if you have all your business data in the cloud and for some reason you can no longer access that data, a system to get back up and running quickly can be the difference between corporate life and death, especially for an SME,” he says.
Recovery done well
Mr Pollard says more needs to be done by insurance providers to help companies develop robust recovery systems for beleaguered companies.
“On the one hand, there’s a huge premium market opportunity to grow. The New Zealand cyber-insurance market is estimated at $10 million. I think it will rise to $250 million by 2025.
“But there’s also an opportunity to lose a lot of money if we get this wrong. There have already been some significant losses. Maybe that’s some insurers haven’t been pushing cyber as a product. There is an element of the unknown here,” he says.
Nathan Steiner, head of systems engineering at disaster recovery and management company Veeam, says companies should be focusing more on disaster recovery and recites a story showing how recovery can be done correctly.
He says one of Australia’s leading agribusiness companies recently suffered a cyber breach through a ransomware attack. It was able to protect any further breach or access to its core IP across the four core data centres that were running some of its major operations.
“What did it do? The company was running monitoring software to detect suspected ransomware by looking for highly patterned activity on its business-critical storage platforms. When it picked something up, an escalated trigger was sent to the operations team.
“The organisation was already following an approach of intelligently managing, protecting and recovering its data, which meant it had accessible offsite copies of the impacted systems, applications, workloads, data and services. It was able to seamlessly recover the data and mitigate the spread of the attack.
“What had previously been a six-day recovery time process, it was able to reduce to less than six hours,” Mr Steiner says.
PwC cyber practice partner Steve McCabe recently told a gathering of financial advisors at the Boutique Advisors Alliance (BAA) that recovery is the most “critical” part of any cyber-incident.
“The only metric that really matters is the mean time to recovery: how quickly you can get back to business as usual. Blocking threats with firewalls is useful but recovery is critical.”
He says the criminals aren’t opportunists. Nor are they the small, basement-dwelling hackers familiar to Hollywood. They have budgets, work targets, salaries and structured businesses dedicated to getting sensitive information.
“And they aren’t just looking for money. On the dark web, a credit card record is worth about $7 but a health record is worth about $70. That’s because you can perpetrate a lot more fraud with a health record than a credit card.”
PwC asks companies every year how confident they are about their cyber controls. In 2017, 85% of respondents said they were confident. However, 80% also said they don’t want any more regulation or mandatory testing of those controls. That strikes Mr McCabe as curious.
“How are they so confident in their controls? We know 91% of New Zealand chief executives are concerned about cyber-attacks but what are they doing about it?” Mr McCabe says.
“If I had to spend a dollar on cyber-security, I would spend 40c on education every single day. It’s by far the most effective thing you can do to protect yourself.”
Letting people know
But setting up recovery systems and controls isn’t the full procedure.
Mr Steiner notes that the public is likely to become aware of a breach at some point. And at that moment, an affected company better have its story straight. So, when communicating during recovery, he points out the key elements:
- ensure accuracy and consistency of information (root cause, systems affected, impact);
- make sure it is as timely as possible;
- make sure communication is produced for the targeted audiences (citizens, consumers, customers, partners, internal staff);
- make sure communication is clear and allows for two-way feedback; and
- make sure communication is delivered across diverse mediums (social media platforms, websites, email, integrated systems dashboards etc).
“The average cost per record stolen is $139, according to a 2017 Princeton University study,” Mr Steiner says. “These breaches can be very expensive.
“Yet, what is the measurement of expensive? Costs of recovery? The financial impact of a breach in terms of compliance or regulatory missteps as well as revenue impact in real-time? Costs associated with brand damage and reputational risk?
“A breach and associated costs also need to be put into context within particular markets. The final cost takes on a different context in terms of how cost is measured,” he says.
Mr Steiner agrees with Messrs Pollard and McCabe that, as organisations transform their services to digital and online, they must define and implement the best risk-mitigated approach and frameworks of people, process and technology to intelligently manage, protect and recover their most critical asset – their data.
“A cyber breach in some way, shape or form will affect every organisation. It’s just a question of the impact and consequence based on how well you have decided to prepare and operate,” he says.