A matter of cyber risk management culture
People and processes are key to addressing cyber risks, including the growing problem of ransomware, according to Oliver Delvos, global cyber underwriting manager at Zurich Insurance Group
Cyber risk is growing more complex and challenging by the day. New technologies, the move to cloud services and the acceleration of digitalisation and remote working increase our reliance on technology and create new vulnerabilities. At the same time, the threat from cybercriminals and nation states grows ever larger, with paralysing ransomware attacks, data breaches and outages.
Ransomware, in particular, has become a major problem. July started with a significant attack on Kaseya, affecting many of its customers worldwide. In May, the Colonial Pipeline ransomware attack caused one of the biggest critical infrastructure outages in recent history, temporarily shutting down a pipeline that delivers 45% of fuel supply to the US east coast. Recent ransomware attacks also include those against US meatpacking plants owned by JBS, the Irish healthcare system and Japanese technology firm Fujifilm.
People and process
Unfortunately, there is no ‘silver bullet’ technology solution to problems like ransomware. Technology is just one of the three pillars of cybersecurity, with people and process being equally important. Arguably, processes and corporate culture have a more significant impact on resilience than spending vast sums on technical solutions.
Analysis of cyber incidents consistently shows the critical role that people and processes play in cyber attacks, large and small. According to Verizon’s 2020 Data Breach Investigations Report, 85% of data breaches involved a human element, with more than one in five incidents the result of a mistake made by an employee. Almost a quarter of data breaches involved social engineering, while one in 12 breaches are caused by a member of staff using information improperly, namely privilege abuse or ignoring access policies.
Back to basics
As a cyber insurer, we see many companies continuing to miss the basics of good cyber hygiene. For example, some companies have yet to roll out multifactor authentication throughout the entire organisation. Backing up critical assets offsite or having adequate privilege access controls in place are other procedural basics. Interestingly, we still see regional differences in cybersecurity and risk culture, with adoption of best practices typically slower in Europe than the US.
Yet, these simple processes can make all the difference. The Colonial Pipeline attack, for example, was facilitated by a compromised password. Early this year, we observed that some companies had yet to implement security patches for a Microsoft Exchange Server vulnerability, weeks after critical vulnerabilities became public and emergency patches were available. Such situations are a race against time, where organisations must implement emergency procedures quicker than hackers can exploit newly discovered vulnerabilities.
Cyber risk culture
While human error is often a driver for severe incidents, a strong cyber risk culture – with a focus on people and processes – can have a positive impact on business resilience. For example, good training and employee awareness campaigns can have a positive effect on reducing business email compromise and phishing attacks. People and processes are also critical to addressing the growing problem of ransomware, where tested incident response plans are critical.
Businesses cannot avoid ransomware or sophisticated targeted cyberattacks, but they can reduce the risk and mitigate the impact. Weak user credentials, phishing and improperly managed access controls make a ransomware attack more likely, while gaps in business continuity planning and disaster recovery will make attacks more severe.
However, organisations can mitigate the financial and reputational impact of a ransomware attack by ensuring they have up-to-date backups and that they regularly test disaster recovery plans. Crisis communication plans are also key to mitigation: How does the business intend to liaise with affected customers after a breach? How shall the collaboration with regulatory bodies work? Which statements are communicated when to the media?
Emerging technology risks
The two pillars of people and process are set to become even more relevant with the drive for digitalisation, new technologies and regulatory changes. A growing number of countries are implementing stringent data protection and privacy laws, while business continuity is also under increasing regulatory scrutiny, especially for financial services and critical infrastructure. In particular, cloud services typically see organisations outsource parts of the IT environment, yet ownership of data, and the associated liabilities, remain with the data owner.
In general, cyber risk management and governance have struggled to keep pace with advances in technology, even before Covid-19 accelerated the trend for digitalisation and remote working. Under the competitive pressure to adopt new technologies – such as artificial intelligence, biometrics, IoT and cloud computing – it is important not to lose sight of the people and process implications, as well as the technical elements of cybersecurity.
New technology will require evolving and flexible governance and risk management frameworks. For example, the use of ‘deep fake’ video and audio technologies could be used for social engineering, to commit fraud, or to gain access to personal information and protection systems. The growing use of the cloud and reliance on external IT services and vendors will require detailed governance and management frameworks. The recent attacks on Solarwinds and Kaseya are stark examples.
Risk management focus
As the cyber insurance market matures, insurers have increased their focus on cyber risk management and governance as part of the underwriting process. Companies that can demonstrate a strong risk culture and robust cyber risk management – in particular around people and process – will be in the best position to purchase cyber cover and full limits.
A number of insurers are also developing specialist cyber risk engineering services to help customers manage cyber risks and build resilience, including practical advice on people and process. For example, Zurich’s recently launched Zurich Resilience Solutions offers a range of risk management services for cyber, while Zurich Cyber Security Services, a strategic agreement with cybersecurity firm CYE, supports companies throughout their cybersecurity journey from assessment to remediation plan, accompanied by strategic consulting.
The importance of people and process in building cyber resilience cannot be overemphasised. These two pillars are at the heart of addressing growing cyber exposures, a point that can be overlooked among the excitement of new technologies and the dash for digitalisation.
Contributed by Oliver Delvos, global cyber underwriting manager at Zurich Insurance Group
