Our Insights

Protecting your firm

Smart cyber policies needed as attacks increase in frequency and sophistication

While technology can help detect and prevent cyber crime, it is an organization’s human capital that has the opportunity to be its strongest line of defence, or weakest link.

With the growing frequency of cyber events around the world, organizations need to deploy both technology solutions and non-technical policies that enable staff to be sufficiently prepared to spot, prevent, or react to a cyber attack.

Key insights

  • Cyber crime is becoming more frequent, sophisticated, and accessible with the sale of malicious software on the web
  • While technology can help prevent an attack, humans have the opportunity to be the strongest defence, or the weakest link
  • Organizations should devise a non-technical post-attack playbook to mitigate potential reputational, financial, and regulatory risks

There has never been a better time for cyber crime

Cyber crime is a lucrative business with a low barrier to entry and a low risk of getting caught. The low cost of entry into cyber crime and accessibility of malicious software online has increased the sophistication, and frequency of attacks, as well as the cost to victims.

“Long gone are the days when you need to be technically savvy to attack an organization,” explained RBC’s Laurie Pezzente, Senior Vice-President and Chief Security Officer at RBC Investor & Treasury Services’ recent Investor Forum.1

Like the entrepreneurs who got rich during the gold rush not by digging but by selling shovels, Pezzente says that history is repeating itself in the cyber underworld.

Estimated costs of cyber crime to the global economy are expected to grow from over USD 600 billion in 2018 to USD 6 trillion by 2021.

While the average cost of each data breach is approximately USD 4 million, that figure only accounts for the value of the stolen data, and not the damage caused to the organization’s reputation, share value, or potential regulatory fines. Resiliency to cyber attacks has therefore become an imperative for all businesses everywhere.

Not all data is created equal, and should not be protected equally

The first step towards greater cyber-resiliency is understanding the full scope of the data that might be breached. Pezzente explains that securing everything is not necessarily realistic from a cost perspective, so it is important for organizations to understand which of their assets are most likely to be targeted, and what value they have.

It is important for organizations to understand which of their assets are most likely to be targeted, and what value they have

“It’s an exercise that first assesses and determines critical data sets, identifies the risks if that data were to be lost or destroyed, followed by a risk appetite or tolerance discussion,” she said. “If it was destroyed, what are the financial impacts? What is the potential reputational impact?”

This approach, explains Pezzente, helps organizations determine how much they should invest in protecting each individual asset, and how to react in the event of its theft.

Defending against cyber crime: people and technology

Humans are both the strongest defence against cyber attacks, and the weakest link, according to Pezzente. The most common avenue for attack is not a weakness in data protection technology, but human error. At the same time Pezzente points to the Bangladesh Bank theft of 2016 as an example of how humans are the strongest defence against attack. While cyber criminals were successful in transferring USD 81 million out of the bank, a Federal Reserve employee successfully blocked another USD 850 million by identifying anomalies, including typos, in the transfer instructions.

Humans are both the strongest defence against cyber attacks, and the weakest link

“As a result of one individual paying attention to what was going on inside the organization and questioning whether or not this was appropriate, they lost USD 81 million instead of USD 1 billion,” she said.

Pezzente says that she keeps her colleagues on their toes by sending monthly simulated phishing emails to RBC’s 84,000+ employees globally, which are intended to mimic common events and threat scenarios. “We hope that employees don’t click, but in the event that they do, they get in-the-moment training on how they could have identified that particular email as a phishing email,” she said.

Not only has the organization gotten better at passing her tests over the years, but also in identifying phishing emails from more malicious sources.

If attacks are inevitable, responses should be well rehearsed

As cyber crime becomes more common, more accessible, and more sophisticated Pezzente believes it is not a matter of if, but when. As a result, organizations have no excuse for being caught flat-footed in the event of a breach, even those outside the IT department.

Identifying the true value of digital assets and protecting them accordingly can enable organizations to make better use of their cyber security budgets, and help them better prepare for managing an attack

“The real playbook is how you’re going to deal with the business damage associated with this incident,” she says. The non-technical response playbook, according to Pezzente, should include a plan for communicating the situation to employees, customers, and authorities, and instructions on how to respond to a range of hypothetical scenarios.

“How would you respond if you were given a ransom note from somebody who has stolen your data?” she asks. “Are you going to pay the ransom? It’s important that you think these things through long before an incident happens.”

Cyber crime is often considered an IT problem that requires an IT solution, but technology is only one part of the equation

Identifying the true value of digital assets and protecting them accordingly can enable organizations to make better use of their cyber security budgets, and help them better prepare for managing an attack. Organizations should also strive to encourage strong cyber hygiene across the entire organization by sharing insights on how employees can avoid inadvertently enabling an attack, through early identification, and preventative actions. Pezzente concludes that, “Becoming cyber resilient in the golden age for cyber crime requires a company-wide solution.”

You may also like

Sources

  1. RBC Investor & Treasury Services' Investor Forum (May 8, 2019) Building a Cyber-Resilient Organization