Cyber Wars

We all have a pretty clear idea of the damage a fire or a flood can do. But it is harder to conceptualize the scope of damages or liabilities that can arise from the technological innovations we count on every day. The term cyber risk has come to encapsulate a wide variety of potential threats that stem from transition to an information-based economy. But what do companies really need to know about cyber risk?

Because sources of cyber risk are continually growing and coming to our attention, it is important not to get caught up in fear-mongering and misinformation. Instead, risk managers can empower their organizations through increased awareness about unique needs and exposures. A realistic awareness of cyber risk is paramount to protecting a company’s network, clients and business.

EVOLVING RISKS

CIO Canada magazine teamed with Athabasca University the past four years to survey Canadian companies on a variety of IT issues, including security. The survey found that 37% of respondents had at least one serious breach of security in a single year, with 7% saying they had a serious breach of customer privacy. Even so, only 44% of the companies surveyed indicated that they had a disaster recovery plan in place.

Most of us are familiar with the potentially devastating effects of computer “viruses” and “worms”, which are growing increasingly powerful. In early May 2004, the “Sasser worm” shut down the computer system of the North Wales Coast Guard, leaving staff unable to access emergency service contacts stored in its database, while a major bank in Finland was forced to close 120 of its offices to update anti-virus software against Sasser. The impact of Sasser spread worldwide, affecting businesses, governments and banking operations in North America, Asia and Australia.

Having operations grind to a halt is bad enough, but keep in mind that companies can also be held liable for transmitting a virus. Emerging threats like cyber extortion and cyber terrorism often go unheeded and might seem a little too “sci-fi”. “Distributed denial of service (DDoS)” attacks have run rampant in the online gambling industry, with blackmailers threatening to crash operations if they are not paid. This kind of cyber-crime has also made its way to the mainstream business world. Perhaps the most well known case of cyber-extortion occurred in August 2000, when Michael Bloomberg, now mayor of New York City, addressed threats from two hackers claiming they could compromise his company’s global financial information network. The two men had demanded $200,000 in “consultancy fees” for the information. It is this reason, as well as the risk to corporate reputation, that many cases of cyber-extortion go unreported.

Hackers can demand money for a variety of threatened actions, including theft of confidential client information and threats to make that information public. Like viruses, new forms and methods of cyber-crime are being developed at an increasing rate.

In addition to cyber extortion there are a number of other threats and sources of cyber risk. Even if your company’s website is strictly informative, with no e-commerce operations, the content can be subject to cyber risk. Copyright infringement and libel are just two of the legal implications of website content that is not strictly monitored. That means that if an outside user posts defamatory material on a website’s bulletin board, the company maintaining the website can be found responsible.

Indeed, 51% of respondents to the CIO Canada/Athabasca survey say they do not report security breeches to authorities. And in many ways it is understandable that companies are hesitant to show their vulnerability. Just as you would not feel safe entering a building that had fire damage, you would be cautious entering a virtual structure that had been violated in some way.

MANAGING RISK

Think back five, or even two years, and consider how our daily lives have changed with technology. It is important to be aware that cyber risk evolves at the same pace as other innovations, possibly even faster. Ahead of each new breakthrough is a way to break it down.

Just as global business operations have been enhanced by technology, perpetrators of cyber-crimes do not fit a single mould and can operate from anywhere in the world. A German teenager was arrested for authoring the Sasser worm, while the cyber-extortionists in the Bloomberg case hailed from Kazakhstan and operated out of the U.K. But, attacks do not always come from far afield – disgruntled employees are another likely source of an attack.

How then, in such a large and ever-changing technology environment, can organizations protect themselves from threats to their networks? The answer lies in comprehensive cyber risk management that begins with an initial assessment that identifies corporate assets and the risks those assets face. This means examining assets and critical functions within networks, websites and general computer applications. How are you prepared, both financially and in terms of capability to deal with any interruptions, losses or attacks? With traditional commercial policies rarely extending into cyberspace, an assessment of coverage is an important step toward security. New specialized policies are emerging that provide coverage for third-party liability (such as damage to third parties from a virus/inadvertent release of confidential information) and for first-party losses (data reconstruction costs because of theft, corruption, deletion, business interruption because of a virus, DDos or cyber extortion demands by hackers). Identifying the various exposures a company faces through cyber risks will give that organization the knowledge necessary to separate fiction from reality.