Businesses have ploughed billions of dollars into technology and software that promises to keep cyber threats at bay. Total global spend on antivirus software, for instance, will reach $3.77bn in 2019, according to market research group ARC.
Software undoubtedly plays a major role in combating digital threats, but other areas have been neglected. Tellingly, business leaders surveyed in Grant Thornton’s International Business Report (IBR) say that overreliance on software is their greatest weak point in managing cyber and privacy-related threats. Taken together, we define cyber security and data privacy threats as digital threats.
In this perspective Renato Sesana, Partner of Bernoni Grant Thornton, the Italian member firm of Grant Thornton International Ltd states:“The Grant Thornton International Business Report once again shows that Top Managers still believe that protection against cyber-threats resides mostly in the software infrastructures rather than in the 'human factor'.
Part of the investments in technology should indeed be redirected in acquiring specialized skills in cybersecurity, as well as in raising staff awareness in order to recognize and to know how to effectively manage any threats.
However, even on the risk management front, which is intended as a reduction in the impact, there is ample room for improvement, especially with reference to Cyber Insurance. This world is still at its early stages and in order to grow it is going to require the collaboration between businesses and insurance companies to reach a correct assessment of the economic impact of digital risk.”
It’s encouraging that business leaders acknowledge this. But now they must act, by improving their specialist digital skills and all employees’ awareness of cyber security. They should also explore specialist cyber security insurance.
This doesn’t mean forking out more money. In many cases, they will be able to taper software spending as they strengthen their human capabilities and insurance provisions. Tellingly, ARC predicts that antivirus software market revenues will shrink at a -1.2% CAGR over the next five years.
Boosting awareness, honing skills
New ways to raise awareness
Companies might have sophisticated cyber security software, but that won’t prevent the human error that’s behind many cyber breaches. After all, it’s the human workforce that responds to phishing emails and installs unauthorised software.
But businesses spend significantly more on cyber security software than they do on educating their workforces, so it’s no surprise that they see overreliance on technology as a key weakness in managing digital risk.
They can address this by increasing all employees’ awareness of cyber security. But how? After all, businesses have been running cyber security webinars and mandatory training programmes for many years, yet human error continues to open them up to cyber-attack. A new form of education is necessary.
Christos Makedonas, technology risk leader at Grant Thornton Cyprus, says that shorter training formats would help. “No one has time to watch hour-long training videos,” he says. “They should be shortened to a maximum of two minutes. You also need visual reminders – such as banners around the office and messages on screens – to remind people of best practice.
“Businesses should then simulate phishing attempts, and the employees that respond to them can then be given further training. We’ve found these sorts of training programmes to be much more successful than conventional webinars.”
Identify vulnerabilities first, invest later
Businesses need to understand where they are vulnerable to cyber attack and breaches of data protection compliance before investing in preventative software. This requires specialised skills that most businesses don’t have.
“Businesses need privacy-related skillsets to help map out their data and understand their regulatory requirements – particularly in a cloud environment,” says Mike Harris, partner, Cyber Security Services, Grant Thornton Ireland. “They also need cyber technology skills around the technologies they are using.
“For example, if you are using cloud services provided by Amazon or Azure, you need to have the security skills in house to work out what they will and will not do regarding cyber security. That skills component is often overlooked.”
Advanced analytical tech needs advanced analytical minds
Many businesses have invested heavily in advanced analytical cyber security technologies that help identify new threats and vulnerabilities.
But these are only as good as the workforce that can interpret the results and implement corresponding changes.
“Lots of people look to technology as a silver bullet, but it isn’t,” says James Arthur, partner, head of cyber consulting, Grant Thornton. “Many companies spend a lot of money on AI-driven, behavioural analytics cyber security software, which can be really useful in some circumstances, however you normally need to spend an awful lot of human time training it to ensure it delivers useful insights. Then you need a human at the end of that chain who can look at the output and make/approve changes.”
The growing case for cyber insurance
Insure for the inevitable
“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
These are the words of former FBI director Robert Mueller back in 2012.
His message is clear – and just as relevant today as it was seven years ago: a breach is inevitable. It makes a strong case for investing in insurance to mitigate the impact of cyber attacks, rather than just in software to prevent them.
“Any reasonable digital risk program has to have an element of detection, response and insurance, because cyber events will happen,” says Mike Harris. “We see increased adoption of insurance that covers both cyber-attacks and data privacy regulatory breaches. But while it’s imperative and its use is increasing, the majority of businesses still don’t have this type of insurance.”
Businesses might assume that their general insurance covers cyber-attack. But they might have a nasty surprise. For example, insurer Hiscox is currently disputing a claim from law firm DLA Piper – likely to be several million pounds – on the basis that it didn’t have a specific cyber policy.
Forensically unpick coverage
But even businesses with cyber insurance cannot sit comfortably. Insurers may refuse to pay out if they deem the attack to be an act of war, which could be argued if it was initiated by state-sponsored actors.
“Insurance is great, but the devil is in the detail,” explains James Arthur. “We have seen insurers trying to argue their way out of paying for things because the attack has been traced back to a state group”. Lots of malware trickles down from some sort of state-sponsored activity, so businesses really need to look at the detail.
In addition, cyber policies can contain provisions that require businesses to install frequent updates and patches. Failure to do this could result in insurers not paying out in the event of an incident.
“Some policies require businesses to keep their patch management up to date a lot more frequently than they are used to – or would like to, given the disruption it can cause,” adds Arthur.
Businesses must therefore examine the details of their cyber insurance forensically to make sure they’re covered and can comply with its requirements.
Collaborate with insurers
The case for digital risk insurance has grown, but the sophistication of insurance offerings has not. This is the view of the business leaders surveyed in Grant Thornton’s IBR. Tellingly, more than two-thirds believe the insurance industry needs to improve its offering to businesses around privacy risk.
“The cyber and data breach insurance market is nowhere near as mature as other insurance markets,” explains Christos Makedonas. “Insurers are currently struggling to assess risks because businesses have different vulnerabilities. Two companies in the same sector and of the same size might have a different culture and use different technologies, which makes it very difficult to price risk.
“But it’s very important for businesses to explore this and work with insurers to move the market forward.”
Five recommendations for a balanced approach to digital risk management
- Traditional approaches to cyber training are not working. Businesses should develop shorter, more regular training videos and simulate phishing attempts to better educate their workforces.
- Businesses need capabilities to identify and map out their digital vulnerabilities. They need to recruit staff with specialised cyber skills that complement cybersecurity software. This will ensure that their investment in preventative software is focused on the right areas.
- All businesses will suffer a cyber-attack – no matter how much they invest in preventative software. General insurance might not cover cyber-attacks, so businesses should explore specific digital risk insurance that covers both cyber-attacks and data privacy breaches.
- But the cyber insurance market is relatively immature. So businesses should spend time educating insurers about their specific vulnerabilities so that the risk is priced effectively.
- Once insurance is secured, businesses must be vigilant about adhering to the terms and conditions. If they fail to install updates it could nullify the insurance.
These recommendations must be implemented in the context of businesses’ specific digital risk environments. So the first step for business leaders is to understand their specific vulnerabilities and threats. Only then can they implement the most relevant technologies, training initiatives and insurance coverage.