Cyber Attacks: How to Rapidly Detect, Respond and Contain Damage
A closer look at the most common causes of cyber attacks and how to stay protected in an increasingly digitised world.
In the face of rising inflation and an ongoing energy crisis, leaders still recognise cyber attacks as one of the top five threats to their business. According to Aon’s Executive Risk Survey 2022, 40 percent of business leaders are focusing their efforts on managing cyber risk. Despite the urgent challenges this brings to the table, leaders are not pulling back on cyber preparedness.
Emerging Cyber Security Threats
As many as 83 percent of organisations have experienced more than one data breach in their lifetime, averaging upwards of US$4 million in damages. Even sophisticated security measures are falling short and quickly becoming obsolete as attackers continue to adapt and evolve. Once a breach occurs, it can often remain undetected for long periods, taking an average of nine months and causing significant damage in the meantime.
Threat #1: Social engineering attacks
Phishing, compromised business emails, third-party software vulnerabilities, and stolen or compromised credentials were the costliest cyber threats for businesses in 2022, totalling about US$20 billion and resulting in business interruption losses, infrastructure destabilisation, private data leaks, theft of proprietary information, loss of reputation, and much more.
Threat #2: Evolving work models
Forbes estimates that by 2025, 70 percent of the workforce will be working remotely at least five days a month. Such rapid digital evolution of business models across all industries has made cyber risk a persistent threat to the ‘new normal’.
Threat #3: Interconnected risks across business ecosystems
Businesses are now exposed to rising interconnected risks not just from within an organisation’s own network, but also countless vulnerabilities in a complex ecosystem of physical and digital vendors, partners, supply chains, and even open-source code.
Regulation Responds
As the cyber threat landscape evolves, governments around the world are responding by introducing or tightening regulation to make sure businesses and organisations take action to protect themselves. In the EU, for example, steps have been taken to strengthen cyber security rules across member states with the introduction of the Network and Information Security (NIS2) Directive.
This replaces the NIS Directive 2016 and aims to ensure a “high common level of cybersecurity across the EU’s Member States” by further strengthening cyber security requirements in critical infrastructure, and those industries and organisations that are indispensable for the functioning of the economy. The directive will affect many more organisations with consequential penalties for non-compliance.
NIS2 was ratified on 16 January 2023, and all of the EU’s member states must ensure it becomes law by 17 October 2024. For businesses in the UK, the EU law will not be implemented, but it’s expected that an expansion of the UK NIS Directive will include similar areas to NIS2. UK businesses who operate within the EU will have to comply with NIS2 to ensure they can show consistent levels of cyber security standards.
Read our guide to make sure your organisation is cyber ready for NIS2.
How to Embrace Risk and Build Cyber Resilience
Top business leaders know that now is not the time to slash cyber security budgets with 69% of organisations planning to increase their cyber security spending. For 90 percent of well-prepared leaders, the current economic climate has increased their appetite for addressing risk.
Because vulnerabilities exist inside and outside an organisation, fully addressing cyber risk requires an enterprise-wide, cross-functional approach that extends beyond its network perimeter. In addition to the Chief Information Officer and Chief Information Security Officer, cyber security should be the responsibility of executive level and departmental leaders.
A strategic and integrated approach involves pre-defined roles and cross-functional communication across the organisation, with the aim of building organisational resilience as opposed to preventing incidents.
| Strategies Should Encompass: |
|
1
|
Cyber security and phishing training for all employees. Create a cyber secure culture where enterprise security is the responsibility of all technology users, and train employees to spot and report suspicious incidents. |
|
2
|
Multifactor authentication and limited access controls. Add additional requirements to the login process to limit the damage of stolen credentials, segment the network to reduce the spread of malware, and limit access privileges. |
|
3
|
IT security controls, software patching, detection tools. Ensure all systems are up-to-date, vulnerabilities are patched, and detection tools and alerts are properly configured, and log all activity. |
|
4
|
Involving incident response and functional experts. Hire professional cyber threat hunters who are trained to anticipate situation-specific threats, and pre-arrange digital forensic experts, legal counsel, crisis communicators, and ransom negotiators. |
|
5
|
Threat hunting, threat intelligence, and supply chain due diligence. Systematically hunt generic and targeted threats within the network, test third-party software, and monitor the deep and dark webs for threats and leaked assets. |
|
6
|
Vulnerability testing and attack simulations. Stage simulated attacks using real-world breach techniques to evaluate the organisation’s ability to prevent, detect, and respond to threats, and use metrics to inform cyber security strategies and budgets. |
|
7
|
Business continuity, disaster recovery planning, and third-party risk management. Regularly review and update incident response playbooks, business continuity plans, and disaster recovery plans, test response through realistic simulations, enforce third-party risk assessments, and hold post-incident reviews. |
Cyber Resilience Strategy Must Work Hand-in-Hand With Risk Transfer and External Counsel
Even the best precautions can fail to keep attackers permanently at bay. Traditionally considered to have secure and protected systems, the financial sector has been particularly prone to cyber attacks in 2022, including outages in New Zealand for ANZ bank and attacks on Japanese cryptocurrency exchange, Liquid. Globally, there were various high-profile incidents of bank theft using the SWIFT electronic payment messaging network. The Sunburst hack of 2020 also shows how a backdoor supply-chain attack compromised organisations with best-in-class cyber security practices. These included key US government agencies as well as Microsoft, Intel, cyber security firm FireEye, and more.
Cyber attacks can never be fully circumvented, no cyber resilience strategy is complete without risk transfer. This involves assessing and quantifying the organisation’s cyber risk exposure and risk tolerance and incorporating these into long-term strategy. Appropriate cyber insurance coverage can then be obtained for areas such as indemnification for loss, liability, regulatory omissions, physical damage, and more. This approach also reinforces the corporate risk management mindset and influences cyber security controls and best practices across the organisation.
Another key differentiator in leaders’ quest for sustained cyber resilience is a willingness to engage a good external advisor or consultant to help make better decisions and address risk. Resisting the impulse to delay capital investment in response to short-term risks, well-prepared leaders are open to bringing in consultants to help strengthen an organisation’s response to real-world threats.
Today’s business risks are interconnected, challenging leaders to respond to emerging threats with agility. Only in addressing top risks such as cyber security can organisations head into uncertainty with confidence.
For more information on cyber risk, download our full 2022 Executive Risk Survey.
1 Source: IBM’s 2022 Cost of a Data Breach Report
2 Source: Office of the Hong Kong Government Chief Information Officer