Even though cyber crime is not tangible like real world crime is, the risk of cyber crime is equally high – and the consequences from a cyber attack is often much higher. I will use the term “real world crime” to refer to any criminal act with a material component – car theft, hijacking, house robbery, mugging etc.
In real world crime (as opposed to cyber crime) physical assets can be stolen or destroyed. As bad as this is, the loss of a physical asset (be it stolen or destroyed) usually carries very little chance of reputational damage – and excluding worse case scenarios – very little chance of business failure. And in most cases organisations are correctly insured for the replacement value of the asset. As an example, if an organisation suffers the loss of a motor vehicle due to theft, they are adequately insured against this loss and the insurance will sufficiently cover the book value of the asset.
This is often not true for cyber insurance. Far too many organisations have no cyber insurance at all, and those that do are often woefully underinsured. This is partly due to organisations failing to understand the cost of data loss/theft as well as the costs of regulatory fines, class action lawsuits and reputational damage. Its an unfortunate truism that with cyber crime its the victim that is seen to be at fault – and the victim that then pays for subsequent damages.
Our first question today then is: Why are organisations under-insured for cyber crime? I will attempt to answer this later in the article.
Organisations that suffer a data breach and are later found to have had poor cyber security in place are rightfully scorned in the media and suffer increased reputational damage. Many organisations that handle sensitive data have limited cyber security in place – yet these same organisations may operate out of secure offices with 24/7 security guards, alarm systems and sophisticated locks to protect their physical assets! A professional office such as a lawyer firm, architectural company or real estate broker may only have a few thousand dollars worth of assets on site, but hold hundreds or thousands of sensitive electronic records of their clients on their computer systems.
Which leads us to our second question: Why are organisations spending significant amounts on physical security and virtually nothing on cyber security when the financial loss of a cyber attack is potentially orders of magnitude greater?
Why then are organisations under-insured for cyber crime and why are organisations under-spending on cyber security? The answers to these questions lie somewhere between a failure to understand the threat of cyber crime, cognitive difficulty in appreciating that digital assets are also assets and unfortunately cyber security firms present solutions and problems in a technical manner and not in a manner that is meaningful to business decision makers. Let us unpack each of these issues.
The failure to understand the threat of cyber crime: Cyber crime represents a real and growing threat world wide. I can quote numbers but these numbers are quoted everywhere, and yet the failure to understand cyber crime as a real threat remains, why? Humans are adapted to perceive threats in the real world – throughout our lives the dangers that lead to our harm are of a physical nature. We trip and fall, burn our hands on hot surfaces, suffer injury in vehicle accidents, some of us are physically attacked, and so on. When we become adults we acquire assets and members of our family, our friends and our peers all suggest we insure those assets – often with their own anecdotal tales of the losses they suffered over the years. In short, we are born into and grow up in a world with a multitude of physical threats and a constant mindset of physical loss and how to protect ourselves from the financial effects of the loss of physical assets.
Cyber crime is different. Few of us know of anyone in our close circle of friends, family and peers who have been a victim of cyber crime – this makes cyber crime seem like something that “happens to other people”. Add to this the fact that society tends to blame the victim of cyber crime for being fooled – in other words we tend to think “it won’t happen to me because I am too smart to fall for that scam”. The reality though is we are fooling ourselves – cyber criminals are masterful conmen and cyber crime syndicates can be billion dollar industries. These vast enterprises are constantly looking for new victims and have considerable assets at their disposal.
Digital assets are assets: Increasingly the world is becoming digital. Most of us no longer carry vast amounts of cash with us, but use credit cards and other forms of electronic payment. Artwork is moving to the digital realm. We meet online in virtual rooms and not boardrooms. We shun physical communication and send each other Whatsapps (sometimes even when we sit next to each other!). The world is becoming digital at an increasing pace, yet we still focus on securing and insuring physical assets only. Consider if the computer or phone you are reading this blog post on suddenly stopped working and was not recoverable? Are your digital assets (work documents, policy schedules, tax information, family photos, etc) backed up somewhere safe? How current is that backup? What if your machine was hacked and the data encrypted – including your cloud data? How would you recover these digital assets – and more importantly – what would your losses be if those digital assets were lost forever? Even if total loss is remote, what personal information is on your device that could cause you reputational damage if leaked? A meeting in your personal calendar for a job interview next week that a cyber criminal threatens to send to your current boss? Sensitive emails from your last doctor’s physical you don’t want shared? Photos of a more sensitive nature? Your banking passwords or bank statements?
Digital assets are extensive – we live increasingly digital lives. Spending a few minutes considering our own digital assets will help us appreciate the extent of digital assets in our organisations – and hopefully will reinforce how vulnerable we are to data loss, data theft and data spying.
The role of technical experts: Technical experts that do not understand business needs and business lingo can cause lack of buy-in when it comes to cyber security and cyber insurance. Discussions around cyber risk and cyber insurance needs to be presented in a manner that supports business risk management and aligns with business objectives. Both cyber security and cyber insurance needs to be in place to protect the business (financially and reputationally). Business leaders are well versed in risk management and technical people need to present risks and solutions in “business speak” – and then try and win a share of already stretched budgets!
In conclusion, organisations need to start recognising that cyber crime is a real world crime where everyone is a potential victim. The risk of extortion has risen substantially due to legislation protecting personal information. Cyber criminals who manage to steal data with personal information from an organisation have leverage owing to the legal requirement for breached organisations to declare data theft, followed by potentially heavy fines. Organisations need to categorise digital assets as real assets, along with a realistic estimate of the replacement value of that data if irretrievably lost as well as the potential financial consequence of that data falling into the wrong hands. And finally, technical consultants need to exchange technically complex presentations for business aligned presentations when seeking budget approval – technical discussions should be limited to technical meetings.