As more companies adopt and upgrade technology to speed up the transfer of information, game-changing business opportunities are created, as well as increased cyber risk, the global professional services firm Aon Plc says in its 2019 Cyber Security Risk Report.
"2018 will be remembered as the year that cyber risk truly affected Asia with some of the largest data-breach and business-interruption losses emanating from the region," said Andrew Mahony, regional director for commercial risk solutions with Aon Asia.
To maximise cyber-resilience, the Aon report says, businesses need to be looking both inward and outward. Internally, they must understand the threat posed by employees and the increasing rate of claims being made against directors and officers.
"Externally, while being aware of malicious actors, understand your exposure to supply chain risk and the importance of verifying third parties' cybersecurity, particularly when considering mergers and acquisitions," said Mr Mahony.
Leaders must work to better insulate their companies and processes, while simultaneously identifying the ways they can benefit from the opportunities offered by digital transformation, said Jason Hogg, chief executive of Cyber Solutions at Aon.
As well, organisations must recognise the need to share threat intelligence across not only their own network but with others as well.
"While it may seem counterintuitive when thinking about cybersecurity, collaboration within and across enterprises and industries can keep private data of companies and individuals alike safer," said Mr Hogg. "Working together can result in improved efforts to hunt bad actors, while also raising the bar and making all parties more prepared for the inevitable day when a disruption does happen."
EIGHT RISK AREAS
The Aon report focuses on eight specific risk areas that companies may face in 2019. They illustrate how, as organisations make the transition to a digital-first approach, the "attack surface" of global business can expand rapidly and sometimes in unexpected ways.
In other words, the number of touchpoints that cybercriminals can exploit within a business is growing exponentially. Among the highlights from the report:
Technology: From publishing to automobiles, industries are facing new, evolving business and service models. These new opportunities, however, bring with them a radically different set of risks, which organisations will need to anticipate and manage as they continue the digital transformation process.
Supply chain: Two prevailing trends will heighten cyber-risks dramatically: one is the rapid expansion of operational data exposed to cyber adversaries, from mobile and edge devices like the Internet of Things (IoT); and the other is companies' growing reliance on third- and even fourth-party service providers. Both trends present attackers with new openings and require board, forward-looking risk management.
IoT: IoT devices are everywhere, and every device in a workplace now presents a potential security risk. Many companies don't securely manage or even inventory all the IoT devices that touch their business, which is already resulting in breaches. As time goes on, the number of IoT endpoints will increase dramatically, facilitated by the forthcoming transition to 5G. Effective organisational inventory and monitoring practices will be critical.
Business operations: The attack surface expands greatly as connectivity increases, making it easier for attackers to move laterally across an entire network. Further, operational shortcuts or ineffective backup processes can make the impact of an attack on business operations even more significant. Organisations need to be better aware of, and prepared for, the cyber-impact of increased connectivity.
Employees: Employees remain one of the most common causes of breaches. Yet employees likely do not even realise the true threat they pose to an entire organisation's cyber security. As technology continues to affect every job function, from the CEO to the entry-level intern, organisations must establish a comprehensive approach to mitigate insider risks, including strong data governance, communicating cybersecurity policies throughout the organisation, and implementing effective access and data-protection controls.
Mergers and acquisitions: While a company acquiring another business might have a flawless approach to cybersecurity enterprise risk, there is no guarantee the M&A target has the same approach in place. Dealmakers must weave specific cyber security strategies into their larger M&A plans if they want to ensure seamless transitions.
Regulatory: More laws, rules, regulations and standards related to cyber are designed to protect and insulate businesses and their customers. The pace of cyber-regulation enforcement increased in 2018, setting the stage for heightened compliance risk in 2019. Regulation and compliance, however, cannot become the sole focus. Firms must balance both new regulations and evolving cyberthreats, which will require vigilance on all sides.
Boards of directors: Cybersecurity oversight is a growing priority for directors and officers, but expanding personal risk for the organisation's leaders is raising the stakes. Boards must continue to expand their focus and set a strong tone across the company, not only for actions taken after a cyber-incident, but also proactive preparation and planning.
For more on the Aon 2019 Cyber Security Risk Report, visit https://aon.io/mrTopCyberRisks
