A management guide to becoming cyber-attack resilient
Financial services firms need to step up their cyber-attack readiness plans
Most companies are increasingly turning to digital solutions to reduce costs, increase efficiency and enhance the customer experience – but these steps also increase their exposure to cyber risk.
Consider the facts: the number of data breaches globally rose 23 per cent in 2014. Five out of every six large companies (those with more than 2,500 employees) were attacked in 2014, a 40 per cent increase on the previous year. Small and medium-sized businesses also saw an increase, with attacks rising 26 per cent and 30 per cent respectively. More than 317 million new pieces of malware were created in 2014, meaning nearly one million new threats were released into the digital world each day.
According to the most recent data from security firm Symantec, 83 per cent of adults in China and 76 per cent in India say they have been victims of cybercrimes. There were more than 25 billion cyberattacks in 2014 in Japan, according to the country’s National Institute of Information Communications Technology. And in Hong Kong, while overall crime rates fell to a 10-year low in 2013, the police said that year that cybercrime cases, by contrast, grew by 70 per cent.
67 per cent of bank executives and 59 per cent of insurance company executives globally report they experience significant cyberattacks daily or weekly
The costs of cyber attacks are also soaring – measured in loss of revenue, loss of customer trust and loyalty, and costs of litigation and higher insurance premiums. According to a global insurer, cyber attacks cost businesses as much as US$400 billion a year, including the initial damage as well as ongoing disruption. By 2020, research firm Gartner expects companies across the globe will spend about US$170 billion on cyber security, a growth rate of almost 10 per cent during the next five years. BITS, the technology policy division of the Financial Services Roundtable, reports that the demand for cyber security insurance increased by 21 per cent across all industries in 2014. Because many incidents go undetected and impacts may not always be immediately visible, the true scale of the problem is most likely even greater.
According to an Accenture Strategy survey, 67 per cent of bank executives and 59 per cent of insurance company executives globally report they experience significant cyberattacks daily or weekly. However, only 18 per cent of banks and 14 per cent of insurance companies said their organisation always incorporated measures into the design of their company’s technology and operating models to make them more resilient. So what does this mean for management teams?
In addition to increasing their barriers to protect against digital risks, firms need to increase their ability to bounce back from a cyber attack or security event and get back to business-as-usual as soon as possible. Cyber resilient firms will be better able to operate business processes normally while undergoing a threat or attack, while reducing harm to customers, reputational damage and financial loss.
READ MORE: Making your enterprise cyber resilient
That requires a four step process: identify, prevent, detect and respond.
Identify – So-called “penetration testing” has become one way to proactively identify weaknesses in a firm’s cyber defence structures. Better information sharing is also important, as is advanced employee training to help more readily detect and be aware of cyber attacks such as phishing.
Prevent – Managers should ask: how do we control our environment? How do we ensure that proper systems are developed and reviewed to oversee operations? Are we doing enough pre-planning and regular testing of response plans?
Detect – This requires operational monitoring – aligning the tools to identify and detect threats along with their escalation and oversight.
Respond – This includes validating that the event is taking place and mobilising the response team as well as putting in place the firewalls and stopgap measures to make sure the exposure isn’t expanding. (This requires pre-planning and regular testing.) It also includes determining the timing for alerting authorities and regulators, as well as the firm’s external media team and carefully managing public relations.
Management cannot protect their firms at all times from the myriad of potential attacks through multiple channels. So putting in place structures, technologies and processes to build resilience – or fast recovery – is critical to operating effectively in today’s connected world.
Aliette Leleux is a managing director leading the finance and risk practice for Accenture across the Asia-Pacific region
