Listening to Richard Horne, a Partner at PwC specialising in Cyber Security, speaking at the BSA Conference today, it is abundantly clear that cyber everything is proliferating. With the increase in ‘digital’ and just the sheer cyber interconnectedness of everything comes significant reward, but greater and different risks that must be faced by firms and consumers alike.
Who for example would have believed even 10 years ago that a retailer in Asia could be facing significant fraud losses because a refrigeration company in Pittsburgh, Pennsylvania was targeted by cyber criminals. But it happened. How? As a well-run firm the Asian retailer (unnamed) used project management software, in this case to keep on top of a renewal of their air-conditioning systems by the US refrigeration firm. What they had not appreciated was that this software was connected to some of their core systems which allowed the criminals to hack the US firm and through them reach the Asian retailer’s systems, with serious consequences.
The business reality for most companies is the reliance on third party firms to deliver specific services – and that in doing so you are also relying on them to deliver against your own firm’s brand promises. So a bank that uses the services of an insurance company is on the receiving end of the damage, financial, regulatory and reputational when its customers suffer loss because of a data breach at the insurer.
This isn’t new, but in the cyber age it is faster, more widespread and potentially more damaging too. Consumer class actions are not unknown and one of the challenges, because of sheer complexity is that in those all-important first 12-24 hours few of the crucial answers - who, how many, how much and what are you doing about it – may be known. As someone who has been involved in the communication relating to a good few crises I know that having no or very few facts is pretty uncomfortable. If hindsight and deconstructing actions under fire are fodder for any subsequent action – and they are – prevention definitely seems the best option.
Cyber criminals are nothing if not inventive. Evidence shows that they can also be highly persistent and patient too. An example from Richard Horne demonstrated an attack on a financial service provider that took 10 months to come to full fruition; involved 500 compromised machines; 35 terabytes of data in 1,300 formats and the analysis of 600 billion events.
It is not surprising that in the PwC/CSFI Banking Banana Skins report, cyber-crime is one of the biggest risks identified by financial services leaders across the world. It is no longer just about cyber security and building those security walls around your business ever higher. It is also about considering different aspects of how the risk actually manifests today – in the culture of an organisation; in its people – the DNA of its employees; data management and business & IT architecture as well as technical controls. Some of the biggest challenges come from old legacy systems and the integration of acquisitions.
Having a response plan that spans Legal & Regulatory; customer and communications as well as the IT stream is essential. The response needed to this threat is huge and ever-evolving.
Thank you Richard for a hugely illuminating and thought provoking presentation. Copies of the slides will be available on the BSA Conference 2016 website in the next few days.