Risk Management Advisory © 2020 Victor Insurance Managers Inc.
A New Perspective on Cyberrisk
All too often when we think about cybersecurity and cyberrisk, our thoughts turn to security technology. The reality is that cyberrisk isn’t solved by security technology alone. Employee knowledge, processes, culture and technology combined will help to build a strong defence against data loss and its unexpected financial impact.
The majority of cybersecurity incidents are the result of someone falling victim to an online scam, such as fraudulent email or surfing the web on an unsecure or unprotected device. And, most cybersecurity events can be prevented—if the organization takes a proactive approach.
Everyone Is a Target
Cyberrisk is a rising and material issue not only for Canada’s largest enterprises, but for every business of every size, from small businesses of less than 100 employees to medium-size enterprises of several hundred employees in manufacturing, technology, retail, financial services and more.
That’s because cybercrime has become a profitable business model for organized criminal groups around the world and because the tools to commit online crimes are readily available—at a low cost and with full support.
Researchers are estimating that the global economic impact of cybercrime will rise from $500 billion in 2017 to more than $2 trillion by 2021. Meanwhile, spending on traditional approaches to cybersecurity is expected to rise from $80 billion to more than $1 trillion over the same period.1
The experts’ predictions mean that, globally, we’ll be spending more than ever before on cybersecurity yet lose more to cybercriminals and other actors than ever before.
What Can Organizations Do to Prevent Loss?
While investments in security tools, such as anti-virus and firewall technology, are important, tangible risk reduction requires an embedded culture of security within your organization.
- Educate employees about cyberrisk
- Regularly inform and engage senior management and boards in discussions about cyberrisk
- Make the right investments of time and money in improvements to policies, processes and technology
Building a culture of security and reducing your cyberrisk will require your organization to improve its awareness, processes and policies. One of the first things you should do is ensure every employee has a basic knowledge and understanding of cyberrisk, how their inadvertent actions can lead to issues and the importance to your organization.
One approach is to use an external cybersecurity expert or firm to create and support an effective cybersecurity program, but this can be costly. Another alternative is security awareness technology, which can be used to educate employees through online courses and simulated attacks to test their knowledge. The technology can also monitor awareness and behaviour on an ongoing basis, all with a minimal burden on technology teams and resources.
The rationale for this approach is report after report on cyberattacks show a clear pattern. The overwhelming majority of successful cyberattacks are the result of social engineering (i.e., phishing and other electronic scams) which exploit unsuspecting employees, contractors or others associated with the organization. Simply put, cybercriminals know it’s far easier to manipulate human emotions—fear, greed, lust, anger and curiosity—than it is to hack computer systems.
1,2 CSO, June 2017, online: http://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics-for-2017.html