Cyber Security – the New ‘Top Risk’ for your Shared Services?
Add bookmarkThe Cyber threat is alive and well for those not paying attention
Over the last few weeks, I have had the opportunity to attend and speak at several academic and executive leadership events. The one agenda item that all of them had in common was cyber security. And while I would consider myself pretty aware of the impact on business as a result of a cyber attack, some of the case studies and statistics provided were very scary. Here are a few that came out during the events I attended.
The World Economic Forum (WEF) Global Risk Report – Every year the AICD (Australian Institute of Company Directors) holds a session around this report with the target audience being primarily senior executives and board members of Australian companies. As part of the WEF report, there is a section on the top five global risks ranked by impact and the likelihood of happening. This year cyber attack was listed as number three, just below extreme weather events and natural disasters. And putting aside individual beliefs on climate change, the first two risks are tough for a business to do anything about while cyber attacks are 100% manmade and therefore we have the power to create the right risk mitigation strategies. The WEF estimates that cyber attacks will cost between $1.5T to $4T US dollars for the world in 2018. That is around $500 per person for everyone in the whole world. And considering there are large parts of the world where $2 a day is an average wage we are talking about serious money that could be put to much better use.
Types of hackers – Mikko Niemela president of Silverskin Security presented to a group of INSEAD alumni, and his talk had several interesting points. First was the type of hackers. He called out four: -
- Hacktivist – an individual or a group that are against something and make an opportunistic attack against a company, individual or network to raise awareness of their cause. Denial of Service Attacks (DNS) is one of their favourite tools.
- Organised Crime – no real explanation needed. They are looking for money, credit cards, crypto miners.
- Cyber Terrorist – their target is governments and political entities, and they usually don’t care if they get caught.
- Nation States – basically one country spying on another trying to get secrets, IP or other assets that would allow their nation to be better.
Most businesses focus on building out risk mitigation plans around the first two types of hackers, but some organisations need to think broader. Mikko shared a story about an airline based in a part of the world where most customers don’t have a credit card. To facilitate online booking, they offer a “book now and then go to your local X location and pay in the next 48 hours to confirm your seat” strategy. This airline was hacked by someone who appeared to be hired by a competitor, and who managed to make it look like all flights were always 100% sold out, causing the organisations to lose millions in revenue. Because they picked only a few selected routes and flights to hack, it took a while to figure out what was happening. Did the online booking system have a bug or was something else causing the problems? Unfortunately, it was something else: a hacker.
"You could hire a hacker for about $5k and they could typically generate $50k to $1.0m of ransom money."
The other interesting statement made in this presentation was, “It’s not hacking if someone uses your password to get into something when your password was leaked”. This made me want to get the companies whose boards I sit on to read the fine print on any cyber security insurance we might have. When is a hack a hack?
ROI for Hackers. The most frightening statistic that I heard at one of the events was the ROI for a hacker. The data point used was that you could hire a hacker for about $5k and they could typically generate $50k to $1.0m of ransom money. Now, this is illegal so no-one should get excited about a shortcut to paying off their mortgage! But you can see, with this kind of return, why people are attracted to giving it a go. And the role of the leaders and the boards of companies is to ensure that their organisation is not an easy target. If you are too hard to attack a would-be hacker will go to the next company, just like someone burgling your neighbourhood. You don’t have to be 100% secure; you just need to be better than the other guy. Hackers have “productivity targets” they want to achieve.
"Some areas of the business that have more influence than others. The obvious one is IT, but HR plays a critical role."
While it is crucial that everyone in the leadership team is focused on potential areas of cyber attacks, there are some areas of the business that have more influence than others. The obvious one is IT, but HR plays a critical role in ensuring that the onboarding and exiting of employees is done in a manner that protects company data and educates the new joiner on what they need to do to help secure the company’s assets. If you are working in a shared services environment, it is even more critical that all service centre employees fully understand the risks and actions they need to take to protect against cyber attacks of all types.
Unfortunately, we live in a world where some smart people are exploiting security holes that exist in all companies. Similar to your house, when you leave a window open and it makes it easier for a burglar to get in, we all have a role to play to ensure that every day our data, systems and networks have all the “windows” closed and no one accidentally leaves the keys in the door.
[inlinead]