Businesses have ploughed billions of dollars into technology and software that promises to keep cyber threats at bay. Total global spend on antivirus software, for instance, will reach $3.77bn in 2019, according to market research group ARC.
Software undoubtedly plays a major role in combating digital threats, but other areas have been neglected. Tellingly, business leaders surveyed in Grant Thornton’s International Business Report (IBR) say that overreliance on software is their greatest weak point in managing cyber and privacy-related threats. Taken together, we define cyber security and data privacy threats as digital threats.
In this perspective Renato Sesana, Partner of Bernoni Grant Thornton, the Italian member firm of Grant Thornton International Ltd states:“The Grant Thornton International Business Report once again shows that Top Managers still believe that protection against cyber-threats resides mostly in the software infrastructures rather than in the 'human factor'.
Part of the investments in technology should indeed be redirected in acquiring specialized skills in cybersecurity, as well as in raising staff awareness in order to recognize and to know how to effectively manage any threats.
However, even on the risk management front, which is intended as a reduction in the impact, there is ample room for improvement, especially with reference to Cyber Insurance. This world is still at its early stages and in order to grow it is going to require the collaboration between businesses and insurance companies to reach a correct assessment of the economic impact of digital risk.”
It’s encouraging that business leaders acknowledge this. But now they must act, by improving their specialist digital skills and all employees’ awareness of cyber security. They should also explore specialist cyber security insurance.
This doesn’t mean forking out more money. In many cases, they will be able to taper software spending as they strengthen their human capabilities and insurance provisions. Tellingly, ARC predicts that antivirus software market revenues will shrink at a -1.2% CAGR over the next five years.
Companies might have sophisticated cyber security software, but that won’t prevent the human error that’s behind many cyber breaches. After all, it’s the human workforce that responds to phishing emails and installs unauthorised software.
But businesses spend significantly more on cyber security software than they do on educating their workforces, so it’s no surprise that they see overreliance on technology as a key weakness in managing digital risk.
They can address this by increasing all employees’ awareness of cyber security. But how? After all, businesses have been running cyber security webinars and mandatory training programmes for many years, yet human error continues to open them up to cyber-attack. A new form of education is necessary.
Christos Makedonas, technology risk leader at Grant Thornton Cyprus, says that shorter training formats would help. “No one has time to watch hour-long training videos,” he says. “They should be shortened to a maximum of two minutes. You also need visual reminders – such as banners around the office and messages on screens – to remind people of best practice.
“Businesses should then simulate phishing attempts, and the employees that respond to them can then be given further training. We’ve found these sorts of training programmes to be much more successful than conventional webinars.”
Businesses need to understand where they are vulnerable to cyber attack and breaches of data protection compliance before investing in preventative software. This requires specialised skills that most businesses don’t have.
“Businesses need privacy-related skillsets to help map out their data and understand their regulatory requirements – particularly in a cloud environment,” says Mike Harris, partner, Cyber Security Services, Grant Thornton Ireland. “They also need cyber technology skills around the technologies they are using.
“For example, if you are using cloud services provided by Amazon or Azure, you need to have the security skills in house to work out what they will and will not do regarding cyber security. That skills component is often overlooked.”
Many businesses have invested heavily in advanced analytical cyber security technologies that help identify new threats and vulnerabilities.
But these are only as good as the workforce that can interpret the results and implement corresponding changes.
“Lots of people look to technology as a silver bullet, but it isn’t,” says James Arthur, partner, head of cyber consulting, Grant Thornton. “Many companies spend a lot of money on AI-driven, behavioural analytics cyber security software, which can be really useful in some circumstances, however you normally need to spend an awful lot of human time training it to ensure it delivers useful insights. Then you need a human at the end of that chain who can look at the output and make/approve changes.”
“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
These are the words of former FBI director Robert Mueller back in 2012.
His message is clear – and just as relevant today as it was seven years ago: a breach is inevitable. It makes a strong case for investing in insurance to mitigate the impact of cyber attacks, rather than just in software to prevent them.
“Any reasonable digital risk program has to have an element of detection, response and insurance, because cyber events will happen,” says Mike Harris. “We see increased adoption of insurance that covers both cyber-attacks and data privacy regulatory breaches. But while it’s imperative and its use is increasing, the majority of businesses still don’t have this type of insurance.”
Businesses might assume that their general insurance covers cyber-attack. But they might have a nasty surprise. For example, insurer Hiscox is currently disputing a claim from law firm DLA Piper – likely to be several million pounds – on the basis that it didn’t have a specific cyber policy.
But even businesses with cyber insurance cannot sit comfortably. Insurers may refuse to pay out if they deem the attack to be an act of war, which could be argued if it was initiated by state-sponsored actors.
“Insurance is great, but the devil is in the detail,” explains James Arthur. “We have seen insurers trying to argue their way out of paying for things because the attack has been traced back to a state group”. Lots of malware trickles down from some sort of state-sponsored activity, so businesses really need to look at the detail.
In addition, cyber policies can contain provisions that require businesses to install frequent updates and patches. Failure to do this could result in insurers not paying out in the event of an incident.
“Some policies require businesses to keep their patch management up to date a lot more frequently than they are used to – or would like to, given the disruption it can cause,” adds Arthur.
Businesses must therefore examine the details of their cyber insurance forensically to make sure they’re covered and can comply with its requirements.
The case for digital risk insurance has grown, but the sophistication of insurance offerings has not. This is the view of the business leaders surveyed in Grant Thornton’s IBR. Tellingly, more than two-thirds believe the insurance industry needs to improve its offering to businesses around privacy risk.
“The cyber and data breach insurance market is nowhere near as mature as other insurance markets,” explains Christos Makedonas. “Insurers are currently struggling to assess risks because businesses have different vulnerabilities. Two companies in the same sector and of the same size might have a different culture and use different technologies, which makes it very difficult to price risk.
“But it’s very important for businesses to explore this and work with insurers to move the market forward.”
These recommendations must be implemented in the context of businesses’ specific digital risk environments. So the first step for business leaders is to understand their specific vulnerabilities and threats. Only then can they implement the most relevant technologies, training initiatives and insurance coverage.