As cyber risks multiply, every connected company is bound to have vulnerabilities. The next step is establishing the resilience to bounce back when those weaknesses are exploited. Illustration by Jordon Cheung.
One million new malware threats. That was what Verizon and Symantec discovered in 2015 when they conducted research on the past year’s data breaches and cyber threats. Here’s the critical part: That number wasn’t for the whole year. It was for each day of 2014, when about one million new forms of hostile software emerged every 24 hours, according to Verizon’s 2015 Data Breach Investigations Report.
How could anyone—a person online, a business, an entire industry—throw up a million or more defenses every day to protect against each of those threats? Realistically, they can’t. As the risk-management experts of an insurance-industry group called the CRO Forum wrote in their 2014 report: “The increasing complexity, interconnectivity and interdependency of technology make guaranteed protection impossible.”
In other words, as our connected technologies become more innovative, sophisticated, and numerous, so do their associated risks—so much so that some form of cyberattack or invasion is inevitable. Every aspect of our world that becomes “smart” and networked—whether it’s a car, a virtual-reality headset, or a pacemaker—also becomes vulnerable to hostile software and hackers.
As more and more everyday processes are brought online by those technologies, cyber attacks have become about much more than simple data theft or security breaches. “Richard Clarke, formerly of the White House, the former national coordinator for security, infrastructure protection and counter-terrorism, uses the acronym CHEW, describing the exposures as Crime, Hacktivism, Espionage, and War,” says Catherine Mulligan, senior vice president of specialty products at Zurich North America. “What that means is that, along with data-breach potential, there is bodily-injury potential and property-damage potential.”
Imagine, for example, if hackers were able to compromise an autonomous car’s control system. They could gain access to a vast amount of the owner’s personal information, but more worrisome would be the potential for them to gain control of the car itself, to harm the owner or use the car as a weapon. If a hacker remotely disrupted someone’s pacemaker, the result could likewise be fatal.
That is why Zurich’s Mulligan says enterprises—whether small, medium-sized, or large and international—need to think of cyber events as a potential threat to their companies’ very existence. That requires attention to cyber hygiene (constant vigilance over software, rigorous cyber-security practices), enterprise-wide education, and an approach that prioritizes post-attack resiliency, not just protection. “We’re evaluating the exposures and the best ways of crafting insurance solutions that are appropriate for various claims,” says Mulligan. “The risk-management piece is the other element here.”
The approach is analogous to health care: We should be doing all we can to avoid getting sick even though it’s bound to happen sooner or later. Doctors—and patients, too—need to be nimble and resilient enough to identify problems and put treatment plans in place quickly in order to recover as soon as possible.
“Technology experts are going to tell you this isn’t a matter of keeping people out,” says Mulligan. “We’re trying to encourage customers to move from a mindset of protection to a mindset of resiliency.” It’s not about building a wall anymore—it’s about recovering quickly when someone gets past the wall.
Even top government officials know that mere data theft isn’t the worst-case scenario. As Director of National Intelligence James Clapper wrote last year to the House Subcommittee on Intelligence, “we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity.”
If that does happen—if data or entire system architectures are altered by an outside attacker—the effects could be catastrophic. A business that bases its decisions on the review and analysis of data stored in the cloud could be completely derailed if it’s fed inaccurate information. A hospital acting on the basis of compromised data on a patient’s health could likewise cause grave injury or death. Across the industrial landscape, in light of new technologies that are revolutionizing everything from finance to entertainment, cyber risk is no longer just about protecting data: It could very much be about protecting lives.
“This is no longer a matter of technical sophistication,” says Mulligan. “It’s really viewed as something that multiple stakeholders at a firm need to be engaged in. There has to be visibility at the board level.” In other words, concern about cyber threats and resilience must no longer be confined to the IT department: Attention should be enterprise-wide, with everyone up to and including the CEO attuned to the risks and participating as fully as necessary in the planning, testing, and execution of cyber-security efforts.
While certain institutions in certain industries, particularly finance, are picking up on the importance of company-wide education and awareness, threats are still outrunning security measures. Verizon’s report found that most data breaches take weeks, if not months, to discover. During that time, hackers can not only take information but also disrupt a firm’s operations profoundly. Many enterprises lack the ability to detect breaches quickly, and some lack the ability to detect them at all: The security firm Trustwave found that only 19 percent of data breaches within its customer base in 2014 were detected by their targets, the remainder discovered by third parties long after the fact.
It’s a range of procedures, tools, and established practices that make a company resilient enough to maintain their systems’ security, integrity, and reliability as they bring on ever smarter, more connected technologies. In this continuing series of articles exploring the many faces of cyber risk, we’ll take a look at some of the most important of those technologies—3D printing, the Internet of Things, and wearable biometric devices—to see how their special characteristics make for unique risks and vulnerabilities.
Printing software that can make any design a reality; a network that puts an increasing number of smart devices in conversation with each other; electronics that can both measure and improve your health: The possibilities are endless. So are the risks.