We’ve heard plenty in the last two years about how a global pandemic was highly likely but that we failed to take the threat seriously enough. Can we learn from this in protecting our businesses against cyber threats? There are certainly parallels.
Our global response to Covid relied, broadly, on two things: development of vaccine technology and changing our behaviour to limit the risk of spread. It’s the latter of these – the role that we as individuals can play in limiting the damage – from which I think we can learn a lesson when it comes to protecting our businesses from cyber risk.
A cyber-attack is an ever-present threat to businesses of all sizes and, just like a pandemic, it’s one that can spread quickly and with devastating effect at a global level. The World Economic Forum has previously warned that just one day of global internet outage could cost the world up to $50bn.
At a sector level, it should be right at the top of the list of concerns for risk and compliance teams given the confidential nature of the information we manage for our clients.
The government’s Cyber Security Breaches Survey 2021 found that, among private businesses, finance and insurance were the sectors that were most likely to hold personal data about customers (82%) which in itself makes us more of a target for a cyber-attack.
We learnt to understand the reproductive rate of infection of Covid-19, and therefore its capacity for spreading, by the ‘R’ value and growth rates. An R value of 2 meant that for every one person with Covid, they would infect another two.
To put a potential cyber-attack into perspective, modelling research has suggested that the R rate of a cyber-attack could be far higher than this – as high as 27 and above. For every device infected, another 27 or more would be infected in turn. This number should be more than enough to focus our minds on the threat we’re facing.
If more evidence were needed, the potential organisational consequences for financial advice firms are many. A single data breach could result in significant financial costs through capital losses, regulatory fines for a breach of standards and market detriment, increased insurance costs or a failure to be re-insured and the costs of reparation of capital, systems and controls.
Reputational and strategic
In addition to the financial and commercial damage, there is also the potential reputational damage to consider, where valuable client trust, often built up over years or decades, is compromised, often irreparably. Furthermore, a cyber-attack can inflict strategic damage on a business, with the potential for disrupting business plans and causing objectives and targets to be missed.
cyber-attacks can come about through cyber misuse by staff. The potential consequences of a staff member exposing their business through cyber misuse leading to a data breach could result in a fine from the Information Commissioner’s office of up to £17.5m or 4% of annual worldwide turnover (higher maximum) or £8.7m or 2% of annual worldwide turnover (standard maximum).
Working in tandem with the tech and IT-led response to cyber threats, what would a behaviour-led, people-focused response to cyber crime entail?
It involves ensuring that staff are sufficiently educated to spot actual or potential cyber-attacks and that they are diligent and informed enough to be able to reduce and prevent data breach and cyber misuse events through their own daily actions.
Firms might want to gauge levels of knowledge or understanding of what the threats are and the problems cyber misuse could lead to. Here are some questions to guide thinking:
- Has your firm implemented any educational initiatives on cybercrime and, if so, how have they been measured and received?
- Have there been opportunities for employees to embed their learning allowing them to make more diligent behaviours and actions a fixed part of their process?
- If a cyber-attack or breach of security happens, has there been clear feedback to the workforce on how the issue arose, was dealt with and how lessons can be learned and procedures improved?
Taking a people-focused approach a step further, as an industry, and society at large, as we transition more of our professional and personal lives onto technology platforms, we are all likely to need to collaborate more effectively to limit the risk of cyber-attacks.
This could mean extending beyond our own teams to the wider community, collaborating with each other as service providers, but also potentially working more closely with clients to ensure they are educated and protected sufficiently.
The regulator sees it as the firm’s responsibility to make sure clients are acting safely from a cyber perspective. For example, if a client sends a firm their own personal data over unencrypted email, it’s the firm that could be fined, not the client. So taking responsibility for educating clients is essential and in every firm’s best interests.
Until then, developing an effective way of educating staff, and embedding healthy cyber-risk practices can reduce the likelihood of human error leading to a cyber-attack or cyber misuse events. Let’s heed the warning that the Covid pandemic has given us and make sure we are prepared.
Darren Mead is head of audit & risk at Progeny