Few can be unaware of the ‘NotPetya’ cyberattack that struck at the end of June 2017, the repercussions of which should have caused organisations to review every existing assessment of their exposure to cyber risk.
Perhaps the greatest challenge with cyber risk is that it is a new and ever-changing paradigm, for which existing or historic models may be inadequate. Cyber risk is vast, complex, diverse and largely hidden, but has the ability to impact organisations in the most fundamental ways.
The uncomfortable realities are twofold: firstly, the interconnected infrastructure on which global businesses rely is inherently insecure and, secondly, human nature and ingenuity is at once the greatest strength and the greatest weakness. If any doubted the intensity of the struggle of ‘good’ and ‘evil’ in this arena, the launch of Operation #LeakTheAnalyst at the end of July should be a claxon wake-up call.
For the most part, it may be assumed that organisations will be unwitting victims, although corporate espionage cannot be totally discounted. The recent events affected a broad range of industries, including food companies, law firms, shipping, banking, utilities and health. The simple conclusion is that criminals are exploiting weaknesses across the board, and both extorting money and causing significant disruption.
Supply chain vulnerability
It’s surprising that the intermodal supply chain hasn’t been more exposed and disrupted by cybercrime. In part, this may be due to the low level of transparency and reporting; it is understandable that organisations tend to be coy about the incidence and manner of cybercrime to which they fall victim.
In reality, the intermodal supply chain is particularly exposed, since it is increasingly reliant on IT linking offices between different countries in each individual organisation, depending on interactions with multiple third-party stakeholders and often operating on custom-built/proprietary applications, where security protocols may not be alert to recent vulnerabilities. Added to these, many entities will, in the ongoing economic and competitive environment, create overall risk appetites that focus on risks other than just cyber.
The impact of a cyberattack can vary vastly, ranging from simple theft or fraud, through to system or equipment control and manipulation, and extending to the release of data or intellectual property.
Many companies have reviewed email security arrangements in an effort to reduce the volume of potentially fraudulent emails their employees receive. Measures can be put in place to strengthen email sender identification prior to release into an internal email system, including ‘sender policy framework’ (SPF) validation, which confirms a message is from a legitimate domain associated with the sender company.
The human factor
However, risk mitigation techniques are not enough on their own and need to be combined with policies that address the elephant in the room: human behaviour. The structure and culture of each organisation will fundamentally impact the way in which its employees and counterparties react to cyber threats and vulnerabilities. The implementation of clear policies – including in relation to topics such as whistle-blowing – and effective, regular awareness and good practice training are necessary to combat the threat posed by careless insiders.
There also needs to be clear recognition that people have lives outside the workplace. Organisations need to consider the interfaces with devices such as smartphones, let alone the potential vulnerabilities presented through social media usage. At both personal and corporate level, a balance is required between the strength of perimeter security and its ease of use. This needs to encompass not just matters such as password/PIN complexity, but also clarity concerning connection and use of peripheral devices and USB flash drives.
Together with the reality that IT is thoroughly inescapable in achieving personal and corporate objectives, assessment of cyber risks needs to lead to mitigation that recognises that perimeter defences are insufficient on their own, concluding that focus should be given to the human factors alongside additional detection and remediation techniques. Experience to date may yet be minor skirmishes.
While many still think the banking sector is characterised by legacy systems and lack of innovation, this could not be further from the truth. 2018 marks the year when a multitude of external factors will shake up the industry once and for all and reinvent the way people bank. Inevitably, this presents a threat, but also an opportunity.
Cryptocurrencies have developed and matured in to an entirely new class of asset. Completely digital and constructed using blockchain technology, they are a genuine, game-changing means of raising capital for the funding of new and existing businesses alike.
There has been an uptick of treasurers inquiring about interest rate risk management in recent months as interest rates in the US and UK have started to show a rise in momentum, said Chatham Financial at the annual Bellin treasury conference.
The global economy has seen about eight years of growth, but we are starting to see the end of this which is triggering some volatility in global markets, Stefan Bielmeier, DZ Bank, argued in his keynote speech at the Bellin annual 1TC conference. Other speakers discussed blockchain, cyber crime and netting.