The recent data breach experienced by Liberty is very telling. Over 40 terabytes – the equivalent of 20 modern portable hard drives – was copied from the financial provider’s systems. These details are important for two reasons:
Liberty is a financial provider and thus subject to specific security-related regulations. It is very unlikely, given the trends in the sector, that Liberty failed to implement or comply with these.
The amount of data copied could not have happened quickly and should have been detected. This suggests either a gross failure of security monitoring or a well-planned intrusion that took place over a long period of time. Let’s give Liberty the benefit of the doubt and assume the latter.
We can deduce from this that Liberty was not caught unprepared, yet it was nonetheless breached and data was stolen. If you are still of the opinion that this couldn’t possibly happen to your business, you are in worse shape than you can imagine. Even the best-prepared companies can become successful targets to cybercriminals and aggrieved employees, not to mention disasters such as fires and floods destroying key technology assets.
Yet this ‘not me’ myth persists, usually because companies have little concept of what their cyber risks are. The attitude is compounded by communication gaps and cultural resistance to the digital sea change, said Johan Botha, Managing Director of risk training and consultancy provider Analytix:
“Boards of Directors and business executives expect to be informed about cyber risk. However, very few of them seem to be getting the answers they want. Too often, cyber risk reporting is filled with technical jargon and colourful but hard-to-understand charts. Those responsible for cybersecurity – from the CEO on down to cybersecurity and risk managers – are urgently looking for better ways to measure risk and enable well-informed decision-making.”
The overall governance of cyber risk is undergoing a deep transformation. Boards and executives can no longer delegate risk decisions to IT and expect IT to ‘own’ cyber risk. Risk Officers, Information Security Officers and other risk and security professionals must use the power of cyber risk management to deliver value and influence business decisions.
Cyber insurance is increasingly used to mitigate cyber risks. However, it is telling how insurance around cyber risk is determined. This is still often done in a generic fashion, utilising standard questionnaires that rely on assumed exposure with scant understanding of the controls employed or their effectiveness. Little credence is given to the fact that a given company will have many individual cyber domains and components that combine to create a unique picture.
This is a stark departure from homogenised treatments of cyber risk and something companies are ill-equipped for, said Riaan Bekker Force Solutions Manager at thryve, a provider of modern risk integration software solutions:
“Most companies are unprepared for the scope required to make sense of cyber risk. They think that meeting compliance is enough and keep the topic as a separate discussion to strategy. But even when those attitudes change, it’s a challenge to adopt the new mindset.”
Implementing that change requires investments in both culture and technology. But it’s not worth ignoring. As Liberty’s case proves, even being prepared is not a guarantee that disaster won’t strike. Nobody should believe the ‘not me’ myth. No matter how well a ship is built, it can still get a hole in its hull. But the ship that never factored in that risk is the one that sinks.
Don’t think it can’t happen to you. Unless you treat cyber risk as business risk, articulate it in business language, invest in cultural transformation and deploy technologies to help all of those come into being, you are gambling with the future of your business.