A Game Of Cat And Mouse: Outpacing Cyber Threats Across Industries
Industry leaders in life sciences, financial institutions, technology, media and communications and food, agribusiness and beverage face a surge in cyber threats and data breaches.
Grappling With the Risks and Rewards of Digital Agility
Aon’s recent Global Risk Management Survey highlights cyber threats as the number one risk faced across industries.1 Threats such as business email compromise, supply chain disruption, and sophisticated malware such as ransomware attacks, leave no organization – regardless of size or industry sector – exempt from cyber risk. And the risks are only compounded by the need to delicately balance the rewards and efficiencies of digital agility in a volatile market with the need for enhanced network visibility and security controls. Whether organizations accelerate rapidly through regulatory pressure, competitive motivations, or in response to environmental crises, they must assess their digital capabilities and cyber resilience to mitigate against the exposures created by change.
For many organizations in industries with significant potential for data exposure, the threat of regulatory penalties and potential reputational damage necessitates a high-level baseline of cyber maturity. In turn, this forces the need for continual iteration of digital infrastructure and security controls to combat increasingly adept hackers. But when organizations go too far or too fast in digital agility, their business infrastructure can become entirely based around complex supply chains, creating many gateways for security threats. Organizations that digitally accelerate by partnering with multiple external technology partners and third-party vendors may be putting their digital security at heightened risk, which must continually be mitigated. Unforeseen external factors such as global pandemics or uncertain geo-political climates also contribute to cyber risk and may accelerate digital transformation programs – creating additional threats to organizations with less mature digital infrastructure and cyber hygiene.
This article explores how these challenges are explicitly impacting the life sciences, financial institutions, technology, media and communications and food, agribusiness and beverage sectors.
Life Sciences — Security is the Best Treatment
Top 20 global Fortune 500 pharmaceutical companies reveal that total data breaches and exposed records have significantly risen since 2020.2
Characterized by complex global supply chains, analytics firms, and clinical research organizations, the life sciences industry faces a multitude of cyber risks which often result in the targeting of critical data by threat actors.
Exfiltration of sensitive information and theft of intellectual property is a top concern in the life sciences sector, whether those threats come from malicious insiders, hackers affiliated with government or activist groups, or ransomware. After experiencing an uptick in mergers and acquisitions in recent years, the sector also faces security risks around migration of data when consolidating systems. But the risk is not just financial. Cyber security breaches in medical device and MedTech organizations can be life-threatening to those who need immediate or constant supply of equipment, such as pacemakers and insulin pumps.
For the life sciences industry, these concerns are not new. Many industry-leading companies have already pushed for significant investment in cyber security, including advanced tooling, as well as investments in people, development of processes and other resources. But there remains more work to be done for companies wanting to stay one step ahead of dangerous threat actors.
Services such as Red Team Testing and Adversary Simulation (along with traditional penetration testing) can help simulate an actual cyber attack and support the identification of threats and vulnerabilities before they become a reality. An organization’s security controls – especially those newly implemented – must be validated through testing and assessment. Insider risk assessments are also recommended to assess and mitigate the growing threat of malicious intentional insider threat actors.
Financial Institutions — Tight Measures for Valuable Data
Cybercrime is predicted to cost the world $8 trillion in 2023.3
Amid inflation, a climate crisis and extended economic contraction, financial industry leaders single out cyber threat as the most serious threat to financial institutions (FIs) and the wider banking system. As financial institutions are bombarded with attacks and breaches, they face frequently amended regulations which aim to establish heightened standards of cyber security and incident response.4
The intrinsic need for better cyber security in the FI industry is the primary driving force for its development. Given the significant volume of confidential personal identifying information and valuable financial data stored electronically, FIs have traditionally been subject to some of the most stringent regulatory requirements governing the privacy and protection of data. And the consequences of failing to adhere to these requirements continue to grow. Federal and state regulators are increasing the use of fines, penalties, and in some cases, criminal prosecution if organizations fail to comply and maintain adequate cyber security controls. This puts a significant pressure on organizations to implement cyber security measures that are continuously updated to comply with regulations as well as current cyber security best practices.
But for financial institutions, the reputational risk of a cyber event can dwarf even the most significant of fines, as the safety of assets is the foundation of any bank’s value proposition. Outside of the typical security controls, FIs often lead industry adoption of new cyber security trends, while striving to be regulatory compliant, avoid fines, and keep capital secure. FIs embracing innovation are looking towards hybrid architectures leveraging cloud-based solutions. But the migration to cloud or software as a service (SaaS) based services, rather than keeping information in house, may expose companies to a greater risk of cyber threats and data breaches.5
As with any technology innovation, the overall convenience and benefit of introducing new solutions to manage security while enhancing the consumer experience can also introduce new risks. Frequent assessments should be conducted by FIs to address cloud security infrastructure as well as third party assessments to examine the cyber security controls of vendors, suppliers, and partners. With constant evaluation of cyber security solutions, FIs can turn security threats into an opportunity for overall better cyber maturity.
Technology, Media and Communications — Calling for Better Security Systems
Almost three-quarters (73 percent) of Technology, Media and Telecommunications organizations expect cyber security and data disputes to present a risk to their organization in 2023.6
Systemic risk is one of the most critical concerns in the technology, media and communications sector as technology companies continue to grow and develop their service offerings. As technology companies are highly integrated with many buyer and partner systems, exposure is heightened due to internal systems being interconnected with third party vendors. Technology, Media and Communications (TMC) organizations need to maintain advanced cyber risk controls to adhere to customer expectations and avoid reputational risks. As consumer competition is rife, customers will simply switch devices or providers if they believe their privacy data is at risk. Application testing and source code review can help companies in the TMC sector identify potential “bugs” and vulnerabilities that could put customer data at risk.
The TMC sector is especially vulnerable to major exposures attributable to distributed denial of service, malware and privacy breaches. Whether infiltrating SaaS products or stealing IP, attackers prey on intimately ingrained customer systems and network integration, data sharing, operational supply chain or the product outsourcing functions of organizations. This industry also faces pressures from insurers who are strict on best-in-class controls, including heightened scrutiny around network monitoring and privileged access management.
Ensuring the strength and effectiveness of not only internal network security but also the security of critical vendors and supply chain ecosystems is an important focus area across the TMC sector. It’s important to find a balance of security controls that allow organizations to have clear visibility across their cyber risk, whether the build-out of services is managed in-house or utilizing the support of third party vendors. All resources should be trained on security best practices, and frequent assessments and check-ins should be conducted with internal and external resources to ensure that all applicable security policies and procedures are followed.
Food, Agribusiness and Beverage — Protecting the ‘Secret Sauce’
The Institute of Food Technologists conclude that the food and agriculture system needs to address gaps in cyber security education, investment and transparency.7
Often viewed as a hazard class of business from insurers, underwriting scrutiny and pricing can be higher in the Food, Agribusiness and Beverage (FAB) sector than in other industries. This can lead to organizations facing a dilemma when it comes to business capital. In this sector, we often see a more conservative implementation of cyber security measures, which many times is met with heightened scrutiny of their organizational security controls by insurance carriers to even be considered for coverage. This forces businesses to then reassess their conservative position on the overall cyber program, and leads to a rapid bolstering of their cyber protection credentials in order to be deemed insurable.
There are many risks that can arise from the FAB sector’s class of business. Certain clients have significant IP in their recipes and formulations, which needs to be evaluated from a strategic perspective when considering protection of brand reputation. In addition, supply chain vendors, automated systems for distribution, internal invoicing and customer information are all at risk of being disrupted and encrypted by threat actors– leading to large business interruption costs. This risk is further compounded by the fact that many FAB organizations are dependent on legacy systems which may be at – or beyond – end-of-lifecycle and particularly vulnerable to attack.
FAB sector supply chains are often global, highly complex, and heavily automated with high stock keeping unit volumes. Often operating on enterprise resource planning platforms such as Oracle and SAP with built in lean/Just-In-Time processes, FAB organizations face disruption due to infiltrating digital supply chain information and ransomware attacks. These types of unexpected disruptions are an industry-wide concern, with unplanned downtime estimated to cost organizations $260,000 per hour, with some organizations reporting 800 hours of downtime annually.8
Due to high-profile ransomware attacks in recent years, FAB organizations are waking up to the necessity of upgrading their internal cyber security controls. But the growing sophistication of threat actors demands that progress should be made at a significant pace.
Base level security controls such as endpoint detection and response and multifactor authentication should be added and fine tuned to an organization’s specific environment. Similarly, FAB organizations should confirm the existence of specific incident response (IR) plans addressing what to do in the event of a cyber incident and updating, where appropriate. Conducting Employee Training/Phishing Simulations and continuously testing their systems and controls through Table Top Exercises, Penetration Testing and Threat Hunts also helps businesses to be more resilient to attacks. Not only will the enhancement of security controls aid in fending off and mitigating a cyber attack, it will also help FAB organizations better their position for coverage in a challenging cyber insurance market.
Planning Your Next Move In Cyber Security
Regardless of industry, organizations need strategies and effective skills in order to both simulate cyber threats and defend against them. Training employees on how to approach and respond to cyber challenges, while also gaining a comprehensive insight into the exposures of the business, will better enable organizations to acquire the right coverage. Accessing the right talent and insurance will mitigate risk – protecting businesses from present and future exposures.
Despite their respective level of cyber maturity, all organizations face growing challenges around the assessment of digital infrastructure, transfer of data, as well as the reality of cyber attacks and ability to recover. Businesses should engage in continuous review, improvement, and investment in security – guided by data – to gain a head start in the race for better cyber solutions.
In volatile markets, businesses cannot afford to stand still and leave behind the opportunities emerging technology presents to increase market access and improve efficiency. Instead, they must find a steadiness to their pace of technological change that enables them to manage the significant cyber risks along the way. Collaborating with an experienced global consultancy enables organizations to achieve industry-leading protection and readiness against cyber threats across geographies, industries and projects.
Organizations must give attention and consideration to:
- Incident response
- Insider threat risk assessment and robust testing
- Proactive services to mitigate the risk of cyber attack
- Preparedness and management of ransomware, malware and wire fraud attacks
- Improved risk allocation via a combination of cyber consulting and risk transfer through insurance options
- Developing employee value propositions and innovative digital recruitment processes to assist with cost-effective acquisition of diverse technology talent necessary to protect assets
As organizations face cyber threats, business and IT leaders are under increasing pressure to maximize return on security investment. Organizations have the responsibility to not only put cyber solutions in place to protect their business, but also to ensure the security of their people and customers.
How Aon Can Help
Cyber Loop Methodology
Cyber Threat Hunting
Adversary Simulation
Featured Topics on Cyber Resiliency
1 Aon’s Global Risk Management Survey
2 Aon’s Managing cyber risk in Life Science organisations – a survival guide
3 Cybercrime To Cost The World 8 Trillion Annually In 2023, Cybersecurity Ventures, October 2022
4 New York State Seeks to Raise the Bar on Cybersecurity for Financial Services Providers, Including Certain Fintech and Cryptocurrency Companies, Lexology, November 2022
5 Cloud computing dependence imperils banks, FT, November 2022
6 Cybersecurity and data are key disputes concerns in 2023, BakerMcKenzie, January 2023
7 Cybersecurity in the food and beverage industry: A reference framework, Science Direct, October 2022
8 The Hidden Cost of Downtime in Food Processing, Worximity, October 2021
General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Aon Insights Series Asia
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series Pacific
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Insights for HR
Explore our hand-picked insights for human resources professionals.
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
More Like This
-
Article 8 mins
U.S. Rail Sectors Work to Mitigate Capacity and Pricing Risk Issues
U.S. freight and commuter rail industries are facing excess liability and property issues for different reasons. These railroads are critical to infrastructure and vital to the economy, yet finding effective solutions remains complex.
-
Article 11 mins
D&O Risks and Considerations for Businesses Planning an IPO
As private companies prepare for an IPO, they face increased risks that require directors and key leaders to adopt essential risk management strategies to ensure a smooth transition.
-
Article 10 mins
How Public Entities and Businesses Can Use Parametric for Emergency Funding
As climate change intensifies the frequency and severity of extreme weather events, public entities and businesses need more flexible funding solutions. Parametric stands out as an adaptable resource capable of swiftly responding to potential disasters.