ANNUAL REVIEW
Cyber Security & Risk Management 2017
June 2017 | RISK MANAGEMENT
financierworldwide.com
Click cover to download
(Subscriber-only password access)
Not a subscriber?
Click here to join the FREE mailing list and receive password access
Cyber security is one of the biggest corporate issues of our time. As the ‘WannaCry’ ransomware attack in May ably demonstrated, organisations of any size, anywhere, are vulnerable to attack. Though many companies have improved their cyber security defences in recent years, there is much more work to be done. Cyber criminals are becoming increasingly agile, sophisticated and specialised. It is up to companies to match the ambitions of cyber criminals and develop robust and resilient cyber risk management protocols and strategies.
UNITED STATES
Shahryar Shaghaghi
BDO USA
“As the ‘WannaCry’ cyber attacks proved, companies of any size, and in any industry, are potentially vulnerable. With more than 75,000 ransomware attacks in 153 countries, the world saw the wide scope and unpredictable consequences of a ransomware attack. The healthcare sector remains uniquely at risk to cyber incidents due to a variety of factors, including significant digital transformation in recent years, lack of focus and funding and resources to implement an effective cyber security risk management programme. Because many hospitals maintain and rely on end-of-life technologies, and may prioritise immediate access to data over data security, cyber criminals have found their systems easier to breach.”
CANADA
Ruth Promislow
Bennett Jones
“Employee error continues to play a central role in the cyber threats facing companies today. A company’s cyber security posture is only as strong as its weakest link, which threat actors will exploit. Unwitting employees clicking on malicious links or providing personal information through phishing or pretexting gives threat actors a way in. Employee error is typically linked to ransomware, which is emerging as one of the largest cyber threats facing companies today. The recent wave of ransomware attack making its way across Europe and other parts of the world – ‘WannaCry’ – has yet to hit Canada.”
UNITED KINGDOM
Simon Calderbank
Tokio Marine HCC – UK
“The major cyber threat remains understanding the exposures and consequences a company could face when an incident occurs. Outside of $1bn turnover companies, there is still little work being done to understand the implications, financial or otherwise, of a cyber incident. As a result, there is often a lack of planning or strategy to rectify an issue when it occurs. This can allow small incidents to be inflated quickly, resulting in significant cost. This also manifests itself in insufficient employee training and knowledge about how their actions can impact the company – whether that be opening links in emails from unknown sources, inserting a random USB stick into systems, or other.”
FRANCE
Xavier Marguinaud
Tokio Marine HCC – France
“Companies can be their own worst enemies when it comes to vulnerability. One of the major threats companies face is when they underestimate their cyber exposure and do not delve deeply enough into the solutions they should implement. It is common to think ‘it will not happen to us, we are not interesting enough for hackers’ and to invest massively in technological solutions without taking into account the key role that employees play in strengthening – or weakening – cyber resilience.”
NETHERLANDS
Sandra Konings
BDO Advisory B.V.
“We should only be worried about the cyber threats to which companies are vulnerable and which have a negative impact on companies, such as the loss of production and service time or loss of sensitive data. The recent WannaCry attack in Europe showed that many companies are vulnerable to ransomware attacks using zero-day vulnerabilities in hardware or software, even when the patches have been available for weeks. This is a pattern we have seen for years. Even when sophisticated or state sponsored hackers attack companies to gain intellectual property, the first point of entering the system is usually a well-known and unpatched vulnerability.”
NORWAY
Chris Culina
BDO Norway
“You can never know or choose which threat actor you will be exposed to – the threat actor will make that choice for you. The number of incidents involving threats like ransomware and CEO fraud over the past year tells us that many companies are vulnerable to general threats. Sadly, if you are vulnerable to those threats, you are vulnerable to everything. We have recently seen targeted attacks from nation state actors and widespread ransomware campaigns. I would not say one is worse than the other. Both can seriously harm a company’s ability to carry on with its business.”
PORTUGAL
Leonor Chastre
Cuatrecasas
“Cyber attacks are an escalating and increasingly sophisticated threat. These attacks are evolving, spinning off new variants and extending their scope. First, companies should be aware that most cyber attacks, whether malicious or not, do not come from external agents but from insiders. Then, the new technologies behind digital transformation for businesses that are changing the way we work inevitably pose new threats. That is the case with enterprise mobility: as the use of enterprise connected personal and mobile devices becomes ubiquitous, new security risks that represent back door opportunities for cyber criminals arise.”
GERMANY
Dr Jochen Lehmann
GÖRG
“The major threats organisations are currently facing are attacks from outside of the company that capture whole IT landscapes. Recently, the ‘WannnaCry’ virus infected hundreds of thousands of servers and even affected train traffic in Germany. On a smaller scale, companies are often confronted with ransomware and the problem of whether they should pay up or try to fight the virus. And, finally, the ‘fake president’ trick seems to still be working.”
ITALY
Alfredo Gallistru
PwC
“Cyber security threats are constantly evolving and are becoming more sophisticated with each new attack forcing organisations to increase their levels of protection. However, what makes this evolving environment more challenging is that businesses are up against a host of different attackers, for example, nation states, organised crime groups, hacktivists and insiders, who are highly skilled and armed with very sophisticated tools. Many of the major cyber threats companies face include: insider theft of intellectual property due to data exfiltration; loss of money due to ransomware attacks; loss of reputation and market share due to denial of service attacks (DoS); and the theft of personal data, due to advanced persistent threats (APT).”
TURKEY
Burç Yildirim
Deloitte Turkey
“We are seeing a significant increase in cyber attacks across the world, and the level of sophistication of these attacks is progressing in tandem with Moore’s Law. The threats that these attacks pose to target organisations are not random. Effective defence against these issues requires a deep understanding of the actors, their sophistication and their motives. Different actors function differently and use a variety of techniques to exploit weaknesses in cyber defences. Organised crime is becoming a frequent threat actor against modern companies. Nation-state actors are more interested in companies operating in critical infrastructure.”
ISRAEL
Ophir Zilbiger
BDO Consulting Group
“The WannaCry attack represents a new wave of threats derived from ‘weapons grade’ cyber attack tools. It is based on the leaked NSA arsenal of cyber weapons and demonstrates the level of threat state-sponsored cyber attack represents. Though it was all over the news, it had a limited impact on organisations in Israeli systems and around the world. It did serve as a wakeup call for raising the awareness of executive and operational management to cyber risk. Current cyber threats applicable to companies can roughly be divided into two groups: cyber crime and state sponsored. Cyber criminals are mostly looking for ways to make money.”
JAPAN
Takashi Nakazaki
Anderson Mori & Tomotsune
“Traditionally, Japanese companies have been confident about their ability to thwart cyber attacks, but this confidence is wavering. In recent years, many Japanese companies have been victims of cyber attack perpetrated by external hackers and data theft carried out by current and former employees. 2015 saw a significant cyber attack and the Japan Pension Service suffered a highly publicised data breach after an employee opened a phishing email containing malware that attacked the department’s network. In 2016, a record 128.1 billion cyber attacks against networks in Japan were detected, more than double the previous year, according to a recent survey by a public research institute.”
AUSTRALIA
Leon Fouche
BDO Australia Ltd
“Instances of confidential data disclosure in the healthcare sector and unavailability of internet connected services within the Australian federal government have been widely publicised. Unfortunately, the frequency of such events is increasing and eroding the general public’s trust in internet connected services. Cyber attacks against small to medium size businesses (SMEs) are also of concern, but this activity is receiving less publicity. In most cases the aim of such attacks is to steal intellectual property or disrupt business operations. The impacts are often significant for the SME due to lost commercial opportunities or the eradication of the business’s market advantage.”
NIGERIA
Joseph Tegbe
KPMG Nigeria
“The cyber threats faced today by companies are similar across sectors and geographies. Rapidly evolving business ecosystems, as a result of the convergence of digital technologies, are expanding the cyber attack surface for cyber criminals. However, cyber threats are not conventional, neither are threat actors. These threats include denial or disruption of service, phishing, ransomware, cyber espionage, sabotage and hacktivism. According to a World Economic Forum Global Risk Report, “The internet has opened a new frontier in warfare: everything is networked and anything networked can be hacked”.”
SOUTH AFRICA
Graham Croock
BDO South Africa
“The most significant cyber threats that parties are experiencing are ransomware attacks via social engineering schemes. These are perfectly avoidable attacks that require employees to be vigilant when responding to or actioning emails. There are also a vast number of organisations that are of the belief that their infrastructure and networks are secure, only to discover after a vulnerability and penetration test that they are in actual fact open and vulnerable to outside attackers who are able to access extremely sensitive information and, more often than not, violate the organisation in more malicious ways.”
CONTRIBUTORS
Anderson Mori & Tomotsune
BDO Advisory B.V.
BDO Australia Ltd
BDO Consulting Group
BDO Norway
BDO South Africa
BDO USA
Bennett Jones
Cuatrecasas
Deloitte Turkey
GÖRG
KPMG Nigeria
PwC
Tokio Marine HCC – France
Tokio Marine HCC – UK