We are living in dangerous and challenging times. In its January 2017 global risk
Extreme weather; report, the World Economic forum (WEF) cited the top 6 global risks:
- Large scale involuntary migration;
- Natural disasters;
- Terrorist attack;
- Cyber-attack and
- Data Fraud/theft.
Cyber-attack and data fraud/theft are serious threats to our personal and economic life.
Most of us rely on the internet for social and business communication. We access information from the internet to make decisions. But it is also a dangerous place, filled with pitfalls as cyber criminals — or hackers— are becoming smarter and more sophisticated. What we had welcomed as manna from technological heaven now bring risks that can ruin billions of lives worldwide.
The internet has slid from boon to bane as security disasters threatened to upend the bottom line of companies, put people’s lives at risk, and worst, and raise tensions between nations that could lead to armed conflict.
Hackers do what they do for many reasons. Money for one. Their tool: Ransomware. The US Computer Emergency Readiness Team reported 4,000 average daily ransomware attacks in 2016, four times the 2015 average. The prime profit centers are financial services, healthcare, transportation and manufacturing, where companies pay upwards of $1,000 per affected customer to get out of the bind. Note that affected customers often run to tens of millions. With skyrocketing revenues from ransom payments, hackers are not about to quit, and attacks are likely to multiply manifold.
The more dangerous reason for hacking is political. The tool: Malware. The motivation, varied. Government institutions, repositories of sensitive information about persons, programs and agencies, are easy targets for hackers out to undermine or unsettle governments, influence the outcome of an election somewhere, or hold a high official hostage with embarrassing information.
Security experts stress that the biggest cyber security vulnerability is human factor. Breaches can result from simple negligence to revenge by a disgruntled employee. Largely, though, it is motivated by greed or a desire to do harm. And it is taking on the form and frequency of petty crime.
Petty, cybercrime is not. In fact, it has become so alarming, it has compelled countries to enact laws to protect their governments, economies and citizens. In the Philippines, two laws have been passed, the Cybercrime Prevention Act and the Data Privacy Act both of 2012, the latter created the National Privacy Commission with the primary task of enforcing the law. Penalties include imprisonment for up to six years and fines in millions of pesos.
Businesses and government are all vulnerable to cybercrime and clearly, they need to gear up for this threat and protect themselves from this risk.
How can entities protect themselves?
First, prepare a Cyber Security Management Plan and a risk management system to lay out a standard process by which to assess the organization’s weaknesses and level of vulnerability. Then draw a cyber-incident response plan. Assign a Data Privacy Manager (DPM) and organize a team with definite functions: identify and assess risk, select a method of handling risk, and monitor and review the cyber incident response plan.
Management must formulate the strategic risk handling methods that cover risk avoidance, loss prevention and control measures and risk transfer solutions. The first two methods require substantial investments in hardware, software, and manpower, including a legal contingent. They also need constant upgrades of hardware and software as well as continuing training of personnel.
In December 2013, hackers stole credit and debit card records over a40 million customers of Target, a discount store retailer in the US. The breach, caused by malware installed in the company’s networks, caused profit for the quarter to tumble by 40 percent and forced Target to pay US $10 million to settle a lawsuit brought by affected customers.
The intrusion by suspected Russian hackers into the US Democratic National Convention website has put in question the results of last year’s presidential election and continues to train US-Russia relations. Closer to home, we have our own “Comeleak” where hackers defaced the COMELEC website and leaked its database a month before the May 2016 polls, raising fears about the security and integrity of the automated election system.
At the end of June 2017, the shipping giant Maersk was hit by a cyber-attack that shut down systems, sent port terminals grounding to a halt and ships floating at sea and cost up to $300 million in losses.
In case of a loss an organization can decide to absorb these expenses or it can transfer the risk through insurance. A cybercrime Insurance would cover against claims due to breach of confidential customer information, provide financial reimbursement for fees such as legal expenses, cost of hiring out-sourced IT forensics expert and cost for repairing the company’s and individual reputation.
In the Philippines, a select group of insurers now offer cybercrime insurance. It would be prudent for businesses to explore this option to see if it is a good fit for their requirements and resources.