May 29, 2015 by Angela Stelmakowich, Editor
Organizations and regulators alike need to wake up to the fact that the good guys lag the bad guys when it comes to cyber security and this makes timely adoption of measures ranging from stricter reporting requirements to viewing cyber as an enterprise risk critically important, Serge Solski, vice president of business development for Watsec Cyber Risk Management, suggested during a panel discussion in downtown Toronto Thursday.
Speaking at the Insurance Institute of Canada’s inaugural Emerging Issues Forum, Solski said people and organizations are becoming more aware of the cyber security problem, but likely not quickly enough.
He said his opinion is “the bad guys are figuring out that we’re waking up to this,” and have responded by becoming even more prepared and more skilled.
Cyber crime is big business, Solski told attendees. “These are professional people. These are buildings of dedicated people who that’s what they do,” he commented, adding that one hears about “criminal organizations putting people through school to be trained to do this.”
Given the urgency, Solski said he has a “level of impatience with the way things are progressing, especially in Canada.” Part of that impatience stems from an absence of reporting demands and mechanisms to report.
In the United States, for example, 47 states are required to report cyber security breaches, he pointed out. But beyond having reporting requirements, he suggested these need to be strong enough to ensure compliance.
Citing results of a 2013 survey, Solski reported that 57% of respondents said they would never report a breach even if required by law. The reluctance could relate to the stigma of being breached or concerns that customers or clients whose information had been breached may no longer want to deal with that business or organization, he suggested.
“Are you going to trust me to handle that information? Are you going to trust to do business with me? Are you going to trust to partner with me?” he asked. “So even when there’s regulations, they’re too weak. The requirement is too weak. There’s no sharing of information,” he said.
Time is of the essence in light of the significant losses associated with cyber crime. “These are not small losses; these are serious losses. And these are impacting losses that can be right from a nuisance to being end-of-life business incidents,” Solski told attendees.
Citing survey results from this year, he said 48% of the firms polled reported being hit one to five times, 15% six to 10 times, and 7% 10 or more times.
As such, “71% of businesses are getting hit more than once. How do you insure that? How many times are you going to get a claim until, eventually, you’re going to get in a self-insured mode pretty quick, right?” he commented.
Small businesses may, in fact, be at even greater risk, Solski suggested. He pointed to a survey that indicated one in five small business is going to be hit with a cyber attack. Of those, “60% won’t last more than six months because of the financial repercussions from the cyber attack,” he added.
Some consider cyber crime to be the number one emerging and evolving risk, Solski told forum attendees. Why? That goes back to “its prevalence and its prevalence is mostly going unreported,” he noted.
But there is also a need for businesses and organization to change their view of what cyber risk is, Solski argued. A common myth is that cyber risk is an IT risk, and this thinking is doing little to help bolster protection, he argued.
“IT is an operational function; it’s not a strategic function,” Solski said. “At a strategy level, we’re handling it as an IT risk. This is at the heart of the problem,” he said, noting that senior leadership must own this risk.
“We’re throwing a lot of money at IT and security technologies to solve the problem, but the burner’s still hot. Every time we touch it, we keep getting burned. We have to stop doing this. We believe it’s because senior leadership does not own that level of exposure,” he said.
Cyber is actually a combination of IT risk and enterprise risk, what he defines as “something that can impact the business at all levels and cause significant harm to it, whether it’s financial harm or reputational harm.”
Solski noted that “cyber is a blend of people and technology. If you’re not addressing your people problem, you’re not addressing a huge problem,” telling attendees that most issues have some sort of human interaction.
“We’ve built these great big walls around our businesses,” Solski told attendees, citing such technology fixes as great firewalls and gateway controls. However, “why am I going to take a shot running at the castle when I can go for the village? Or get someone to open the door for me?”
Not only do staff need to be vigilant, so too do partners and supplier who “have privileged access into their systems,” he said.
“If you just focus on a slice of cyber, it’s not going to trickle down and improve controls,” Solski pointed out.
More coverage of the Emerging Issues Forum