Although companies are highly dependent on information technology, many underestimate the risks of cyberspace. Companies face costly business interruptions caused by viruses, malware and hacker attacks.
IT Risks - doing business in cyberspace
Hacker attacks on Sony’s PlayStation network, data theft at Citigroup or website outages at Adidas: wellknown public victims of hacker attacks are drawing wider attention to cyberspace risks. In general, there is no industry or company that will be left unscathed by cyber criminals and that will avoid being hit where it hurts.
Information technology (IT) has long been the backbone of the businesses. “Most companies are highly dependent on digital processes – and this dependence will continue to increase,” says Professor Markku Wilenius, director of the Futures Research Center at Turku University in Finland. No bank or mailorder company would survive a total failure of its central IT system lasting several days. No vehicle can be designed, manufactured or delivered without software. No power plant can be operated without IT control systems.
Network outages, manipulated or lost data and restoration costs result in immense consequential costs for affected companies, not to mention the possible revenue losses and damage to the companies’ images with customers and vendors. “A one-hour business interruption can result in financial losses ranging from €100,000 to €3 million – depending on the company’s size and how seriously critical business applications are affected,” explains José Fidalgo, risk engineer at Allianz Global Corporate & Specialty (AGCS).
Cyber attacks are on the rise, and are becoming more and more sophisticated. The Symantec Internet Security Threat Report recorded 286 million malware threats in 2010 and revealed that attacks on websites had increased by 93 percent over the previous year. Lonely teenage computer nerds are no longer the only ones attacking companies: “Professional hackers are at work here. A real market for viruses and malware has emerged,” explains Thomas Dübendorfer, President of the Information Security Society Switzerland, highlighting the trend toward organized crime.
Experts are primarily concerned about the increase in targeted, complex attacks, known as advanced persistent threats (APTs). In these types of attacks, hackers do not target a single weak spot. Instead, they combine different modes of attack and infiltrate the networks of companies and organizations to steal proprietary information, bring production lines to a halt or reroute transactions. The techniques employed by the hackers are extremely varied. But they have one common feature: they cannot be detected by “normal” security functions, such as firewalls or antivirus scanners, much less prevented.
Industrial facilities are also targeted
The computer worm “Stuxnet”, which was discovered in 2010, is a prime example of how systematically hackers work. Stuxnet was specifically created to sabotage the control systems of Iranian nuclear facilities. After the Stuxnet attacks, the IT security systems of industrial facilities, production lines and power plants increasingly moved into the spotlight. Security experts watched with concern as secure Internet connections for data transfers were added to previously isolated Scada (supervisory control and data acquisition) systems used to control industrial facilities. This theoretically opens the door for hackers, especially as Scada systems’ security functions lag far behind those of commercial IT systems.
Many companies seeking more protection against cyberspace risks
To protect themselves from cyber attacks, many companies are upgrading their firewalls, virus scanners and antispam solutions. External and internal honeypot systems are the latest trend. Practically no attacker or malware program can resist these seemingly unsecured networks. Deutsche Telekom has successfully sent hackers down the wrong path with these traps. “We record several hundred thousand attacks each month. Around 50,000 to 60,000 new computer viruses, Trojans and other forms of malware are added to that every day,” says Thomas Tschersich, head of the IT Security Department at Deutsche Telekom. In contrast to conventional security programs, honeypots are selflearning. “They detect attacks, analyze them and integrate the attack schemes into our detection process.”
IT security awareness underdeveloped
Such beacons of light should not detract from the fact that IT security awareness in many companies remains underdeveloped. An IT security approach that analyzes the individual threats is the order of the day: What data are sensitive? What potential attacks does the company face? How long could the company survive without functioning IT services? AGCS Risk Engineer José Fidalgo helps his clients identify and assess individual IT risks. “The IT organization’s degree of maturity and its security strategy determine the level of residual risk,” he explains. Certifications would serve to minimize risks. To deal with the remaining risks, AGCS offers its clients a modular insurance solution for IT service disruptions that covers a client’s own losses as well as third-party losses. “Many companies are not insured against third-party losses,” explains Jürgen Weichert, liability expert at AGCS. After all, conventional business liability insurance does not cover system failures or the loss of customers’ or vendors’ data.
Cyber insurance common for US companies
While the European market for IT insurance is still developing, many companies in the United States already have liability policies covering data loss. This is because US companies are required to inform their customers about security breaches. The introduction of similar regulations is currently being discussed in EU member states including the UK. “No company wants to make headlines with an IT failure,” says Evelyn Rieger, underwriter for engineering risks at AGCS. “But increased media attention is making many companies more aware of their own vulnerabilities.” More and more clients are seek ing advice in the area of IT protection. The focus of this advice is mostly on prevention, but it also covers estimating the cost of different outage scenarios. Rieger is open to the idea of a risk dialogue, but also warns against overemphasizing digital risks: “Social media and cloud computing make one thing clear: the digital environment presents companies with a unique opportunity. We can’t let ourselves be swayed by the fear of new risks.”