Cyber security Risk Management: Historical Trends and Mitigation Strategies
Managing the Risk of Cyber-Attacks
Last year, the average cost of cybercrime globally reached $11.7 million per business (“Cyber Crime Costs $11.7 Million Per Business Annually,” 2017). This cost is expected to grow exponentially and reach an average of $150 million by 2020 (Ogborn, 2018). Because the frequency, severity, and number of exposure units have been observed to grow over the past century, this paper will first examine the historical background to see which underlying historical trends have helped to create the current cyber environment (Morgan, 2017; Ogborn, 2018).
Next, the paper will identify the direct and indirect losses and recommend a number of risk management techniques that a business can implement to prevent or reduce the losses. Consequently, it will enumerate a number of steps a company can take to recover from the cyber-attack. Last but not least of all, this paper will examine the attack on Target and the company’s path to recovery.
Historical Background
Although people tend to think of cybercrime as something that originated in the last two or three decades with the discovery of the Internet, cybercrime has been around for over 100 years. The first known occurrence of cybercrime came to be in the 19th century with the invention of the wireless telegram (Fell, 2017; McMullan, 2015). In 1903, during the first public demonstration of the technology, Nevil Maskelyne, an inventor and wireless technology enthusiast, hacked the telegram to send Morse code messages in disapproval of the invention.
The next wave of cybercrime came in the late 1950s with the “phone phreaks,” or phone hackers that would listen to tones emitted by phones to find out how the calls were routed (Fell, 2017). The phone phreaks would then imitate these tones to switch the calls from the phone handset and allow themselves to make free calls around the world.
The major wave of cybercrime came with the growing use of email in the late 1980s (Fell, 2017; “Where Does Cybercrime Come From?” 2017). Since that time, phishing scams and malware have been conveniently delivered to people’s inboxes. The development of web browsers in the 1990s increased people’s exposure to new, more hidden forms of cybercrime, such as viruses (“Where Does Cybercrime Come From?” 2017). The frequency of cybercrime increased dramatically in the early 2000s with the widespread use of social media. The increasing number of people putting their personal information into a profile database created a treasure trove for identity thieves, which then used the information to gain access to bank accounts and open new lines of credit.
Today, nearly everyone has a footprint on the web, including large companies. Because of this, cybercrime has become even more attractive than ever before. Not only have the prospects for hackers increased, but the losses to people and businesses continue to grow on a yearly basis. On average, the cost of a data breach by 2020 will be over $150 million (Ogborn, 2018). The overall global cost of cybercrime today is around $600 billion, or about 0.8 percent of the global GDP.
Companies that fall victim to cybercrime often pay high legal fees and suffer losses in both income and reputation. In 2013, Target lost $890 million in market value the day it announced its cyber breach, which resulted in the loss of nearly 40 million customers’ credit card information and other data (Palmquist, 2018). On a similar note, Yahoo lost a whopping $350 million off its sale price when it announced in 2016 that it had been a victim of a data breach that compromised three billion user accounts (Armerding, 2018).
Loss Exposures Associated with Cybercrime
As more people and businesses become interconnected via the Internet, the number of exposure units continues to grow. Not surprisingly, the frequency of losses is also increasing. Cybersecurity Ventures predicts that by 2019 a business will fall victim to ransomware every 14 seconds as opposed to every 40 seconds in 2017 (Morgan, 2017). According to Ponemon Institute, the severity of losses is also growing at an alarming pace.
In 2017, the average cost of cybercrime globally reached $11.7 million per business, which was a 23 percent increase from $9.5 million in 2016 (“Cyber Crime Costs $11.7 Million Per Business Annually,” 2017). Seeing these statistics, one may not surprisingly wonder where these costs come from. To answer this question, one may have to look at both direct and indirect losses associated with a data breach. Studies show that businesses suffer a variety of losses during and after a data breach. These losses include damage or loss of personal and financial data, stolen money, loss of productivity, theft of intellectual property, legal expenses, damage to reputation, and recovery expenses.
Stolen money. Cybercriminals can impose a direct and immediate financial cost on a business when they gain access to the financial accounts and transfer the funds to the accounts they control. Even banks, which are often thought to have the strongest cyber security protection, are not immune. In the years 2016 and 2017, in a time span of just 18 months, Russian hackers called “Money Takers” stole a total of $10 million from U.S. and Russian banks (Reevell, 2017). Hackers do not have to break into a company’s system to steal money. In 2016, businesses unknowingly wired over $360 million to cyber criminals that posed as corporate executives or suppliers in emails (Reuters, 2017).
Stolen intellectual property. Hackers may also steal intellectual property, such as trade secrets or future company plans, and attempt to sell this information to competitors (Deloitte, 2016). Because intellectual property helps innovation and growth, the loss of this information may not only increase costs but also lead to the failure of small and medium businesses (Deloitte, 2016; Lewis, 2018). According to the Center for Strategic and International Studies, the theft of intellectual property constitutes, at the minimum, a quarter of the cost of cybercrime (Lewis,2018).
Damage to reputation and loss of personal and financial data. In the first half of 2017, nearly 2 million data records were compromised (Graham, 2017). This constituted a 164 percent increase from the year prior. Because a large percentage of the sensitive records stolen are usually filled with confidential customer data, reputational damage and liability risk are very real concerns to a company and its brand (Eubanks, 2017; Puzas, 2017). Data breaches often lead to a loss of trust in the company and a lack of confidence in the company’s ability to keep customer data safe. As a result, customers are less likely to buy from companies that could mismanage their information and put them at risk of identity theft. As one can imagine, losing customers, especially those who were once brand loyal, negatively affects a business’s bottom line.
Legal costs. Following a cyber-attack, a company may be faced with class-action lawsuits from customers who have been affected. Target, Home Depot, and Sprouts are just a few of the many businesses that have had class-action lawsuits filed against them. In May 2017, Target paid a whopping $18.7 million settlement over the 2013 data breach that affected more than 40 million of its customer payment card accounts (Eubanks, 2017). Data breaches can also draw hefty fines from the Federal Communications Commission, Federal Trade Commission, Health and Human Services, the Payment Card Industry, Data Security Standards, and other regulatory agencies (Puzas, 2017).
Decreased profitability. According to Nick Eubanks of the Young Entrepreneur Council, “Market perception is directly linked to how company security is managed (Eubanks, 2017).” The reason for this is that an estimated 85% of business assets are in digital form. Taking this into consideration, it is no surprise that negative press regarding a cyber-attack can provoke the “sell now” groupthink. Investors want to feel that their money is safe with a company; they want to feel like they can make a profit. When the majority of the company’s assets are under attack, they want to be out and out quickly. According to a study by the critical security provider Gemalto, two-thirds of the 65 companies breached had their share price negatively affected (Graham, 2017).
Recovery expenses and lost productivity. Following a cyberattack, opportunities and income are foregone, and business activities are interrupted by the need to spend money and time on recovering hacked data and bolstering cyber security (Lewis, 2018). Profitable projects may have to be postponed or even canceled as money is diverted away to deal with security issues. According to Business Insider, it costs an estimated $1 million on average to resolve a cyber-attack (Puzas, 2017).
Dealing with the Loss Exposures
The most direct loss exposure to a company that uses the net to store its data and communicate with its stakeholders is the loss or theft of data. As mentioned earlier, this loss exposure is growing in frequency and cost every year. To reduce the frequency and severity of losses, a company can use a variety of risk control techniques such as loss prevention, duplication, and separation. Because no business is immune to cyber-attacks, it is also a good idea to use risk financing techniques such as active retention and cyber-insurance to deal with indirect losses such as legal costs and recovery expenses.
Loss prevention. The support and commitment of the Board of Directors and senior management are vital to the successful implementation of a risk management strategy (CPNI, n.d). These two groups should actively communicate the organization’s attitude and approach to risk management throughout the organization to make certain that employees, contractors, and suppliers are aware of the risk level the organization is willing to take on. Training employees in cyber security principles and limiting their access are two ways to reduce the risk of data loss or theft.
Employees should be trained to use two-factor authentication, regularly change passwords, and recognize suspicious emails (Cap Coverage, 2018). They should also only be given access to the data and information they need to do their job. It is also very important to install, use, and regularly update antivirus and antispyware software on all computers used by the company. To make sure that the appropriate security measures are maintained, the company must conduct regular network penetration tests and cyber-attack exercises (CPNI, n.d.). The deficiencies in protection need to be corrected immediately or as soon as possible.
Duplication and separation. In case data is stolen or lost, it is a good idea to keep copies of important business data and information (Cap Coverage, 2018). A company can also limit its losses by dividing the assets exposed to a loss and keeping them separated. To do this, a company would identify, group, and isolate important business data and control for the risk of each group (Cap Coverage, 2018; CPNI, n.d.). This way, if a loss occurs, only one group suffers a loss, and the company can still continue certain business operations.
Cyber-insurance. Because the losses associated with a cyber-attack are very high, cyber insurance can help deal with some of the indirect losses (HUB International Limited, 2018). Cyber insurance coverage varies and usually covers only a part of the loss. Areas more commonly covered by cyber-insurance include privacy attorneys, IT forensic investigation, compliance with state notification laws, credit monitoring for breached individuals, PR firm to manage the crisis, regulatory fines, and class-action lawsuits resulting from the breach. Currently, the top cyber insurers are AIG, Chubb, Hiscox, Liberty Mutual, and HSB (Cyber Policy, 2018).
Handling the Existing Risk and Returning to “Normal”
As mentioned earlier, it is nearly impossible to prevent all cyber-attacks. When a cyber-attack occurs, a business is likely to experience decreases in its operational abilities, downtime, reputation, and revenue (Alvarez Technology Group, 2018). To limit these losses and ensure operational continuity, a business needs to have a response and recovery plan in place in case an attack occurs. The response and recovery plan should serve as a guideline for organizing the incident response team, securing systems and ensuring business continuity, conducting an in-depth investigation, managing public relations, and following legal and regulatory requirements (Rossi, 2015).
Incident response team. To deal with cyber-attacks in a comprehensive and effective manner, a business must establish an incident response team (Rossi, 2015; Walker & Associates Insurance, 2018). The incident response team should consist of relevant internal stakeholder groups. Typically, this team includes HR and employee representatives, a technical team, a legal team, intellectual property experts, data protection experts, and public relations representatives (Rossi, 2015).
Securing systems and ensuring operational continuity. To prevent continued data exposure and loss, a breached business needs to take certain security measures (Rossi, 2015; Walker & Associates Insurance, 2018). Although doing this can be very disruptive and costly, a business may have to quarantine or suspend a compromised portion of the network. Other systems may also have to be monitored to make sure that any other breaches are detected promptly. After detecting the losses, the business should check whether they are covered under the insurance policies (Vitale, 2016). If they are covered, the insurance company needs to be notified in a timely manner.
Conducting an in-depth investigation. An important step to take after a breach has occurred is to carry out an in-depth investigation (Rossi, 2015). This investigation should determine the cause of the breach, the breach’s effects, and the remedial actions that need to be taken. Should an employee be involved in the breach, the investigation also needs to consider all relevant labor laws and involve HR personnel. To be able to demonstrate appropriate handling of the situation and to notify those affected by the breach, the investigation needs to be appropriately documented (Walker & Associates Insurance, 2018). Furthermore, the business should integrate the feedback from the investigation into its current response and recovery plan to prevent similar breaches.
Managing public relations and following legal and regulatory requirements. To avoid detrimental reputational damage and additional legal consequences, the business should follow the security breach notification laws in informing those affected by the breach (National Conference of State Legislatures, 2018). The accuracy and timing of notifications are especially important. Helpful complimentary services such as credit screening can also be offered to help save the customer relationship (Rossi, 2015).
Closing the Loop With a Real-Life Case
Not many cyberattack stories have happy endings. Costs associated with diminished consumer trust, damaged reputation, class action lawsuits, and stolen intellectual property can be detrimental and even deadly to a business. Target, one of the largest retailers in the U.S., goes to prove that recovery and even growth after an attack are possible if the appropriate measures are taken. The following three sections explain the cyber-attack, the measures taken, and the result.
Cyber-Attack on Target
In November 2013, hackers stole forty million credit and debit card records using stolen third-party vendor credentials (Hong, 2017). This hack was largely the result of negligence. Target delayed the investigation of suspicious activity and failed to implement even the most basic security measures, such as the separation of cardholder data from the rest of its computer network (Finkle, 2014; Hong, 2017). The theft negatively affected the retailer’s reputation with customers, decreased sales, and resulted in $202 million in legal fees and other post-breach costs (Hong, 2017).
How have things changed? Five years and a CEO later, Target has made large strides towards regaining consumer trust and recovering financially. To prevent future attacks, the company has limited vendor access and separated its cardholder data from the rest of its computer network (Target, 2018). It has also installed whitelisting applications on its point-of-sale systems to allow only known web traffic to access its systems (Target, 2018). To ensure the security of accounts, the company implemented password rotation policies and two-factor authentication (Target, 2018).
Not to mention, Target became the first major issuer to use chip and PIN credit cards in the United States (Harris, 2017). Unlike credit cards with magnetic stripes, credit cards with EMV chips are more difficult and expensive to duplicate, which makes them more secure. That is to say, Target’s credit cards became some of the safest in the nation. To better detect suspicious activity, the company also improved its auditing and logging of security-related events with supplementary rules, alerts, and a centralized log feed (Target, 2018). As a result, the company can now better monitor user activity, document regulatory compliance, and perform forensic analysis.
Did these changes help? Target’s sales have more than recovered. In fact, the company just reported its best quarterly sales in over a decade (Bhattarai, 2018; Safdar, 2018). Total revenue grew 6.9% to $17.78 billion, increasing the company’s annual earnings prospects. According to Target Chief Executive Brian Cornell, this growth is not only attributable to the booming economy but also to the increase in market share Target has gained in various categories ranging from electronics and homewares to toys and apparel (Safdar, 2018).
References:
- Cyber Crime Costs $11.7 Million Per Business Annually. (2017). Retrieved from https://www.securitymagazine.com/articles/88134-cyber-crime-costs-117-million-per-business-annually
- Ogborn, J. (2018). Cyber Attack Trends: 2018 Mid-Year Report. Retrieved from https://www.varonis.com/blog/cyber-attack-trends-2018-mid-year-report/
- Morgan, S. (2017). Cybersecurity Ventures. Retrieved from https://cybersecurityventures.com/
- Fell, J. (2017). A Brief History of Cyber Crime. Retrieved from https://www.safetydetectives.com/blog/history-of-cyber-crime/
- McMullan, T. (2015). Cybercrime: A Short History. Retrieved from https://www.itgovernance.co.uk/blog/cyber-crime-a-short-history
- “Where Does Cybercrime Come From?” (2017). Retrieved from https://www.kaspersky.com/resource-center/threats/where-does-cybercrime-come-from
- Palmquist, R. (2018). Target Corporation Data Breach: A Case Study of What Not to Do. Retrieved from https://dmi.com/target-corporation-data-breach/
- Armerding, T. (2018). The 17 biggest data breaches of the 21st century. Retrieved from https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
- Deloitte. (2016). Intellectual property theft: A growing threat. Retrieved from https://www2.deloitte.com/global/en/pages/risk/articles/intellectual-property-theft.html
- Lewis, J. (2018). The true cost of cybercrime. Retrieved from https://www.csis.org/programs/technology-policy-program/significant-studies-cybercrime