A report into future cyber risks for large companies operating within Australia warns current cyber risk management is flawed due to new technology that is too complex for many to understand.
The report,
Risk Nexus – Global interconnections of cyber risk: impact on large companies, found that while larger companies must embrace new technologies, they “will likely prove to be riskier than currently assumed” in terms of cybercrime risk.
The coupling of poorly understood technologies means disruptions will likely come with increasing frequency and intensity and intellectual property will be increasingly vulnerable to theft, even for well-protected companies.
Zurich head of financial lines Australia and New Zealand, Marc Luginbuehl, said: “Even though one aspect of the system is very well understood, the links and interactions business isn’t always as familiar with other aspects of the system and that’s where the weakness often lies for cyber disruptions and attackers.”
“Larger companies need to implement board level risk management, put in place incident response and continuity training, shift toward resilience and agility and embrace technologies. These proactive strategies will ensure they are carefully managing their risk.”
“They should also push out the risk horizon to look at specialist external providers beyond their own internal technology risk management capabilities, and of course, improve cyber security – the one thing many companies don’t take far enough.”
Key findings in the latest annual Cyber Crime and Security Report 2013 from The CERT – Australia’s national cyber emergency response team – highlight this problem as one of its key findings in a range of concerns and potential vulnerabilities, stating “only 27% of organisations had increased expenditure on IT security in the previous 12 months”.
It also found 61% of organisations do not have cyber security incidents identified in their risk register, prompting the report to conclude that this may be linked with the identified need for management and CEOs to improve their IT security skills and practices – and perhaps awareness.
“The CERT report also alarmingly revealed that 54% of organisations surveyed had identified cyber security incidents on their networks in 2013, representing a 34% increase over the 2012 result," said Luginbuehl.
With many of the incidents occurring in the form of targeted emails, followed by virus or worm infection and Trojan or rootkit malware, respondents felt these cyber security incidents were specifically targeted at their organisation rather than random or indiscriminate.
Luginbuehl says larger companies only need to take a relatively small set of actions to protect against most cyber risks. They should also realise the value of cyber protection and liability insurance as part of their risk management strategy.
The full
Risk Nexus report, released as part of a series on global aggregations of cyber risk by Zurich and The Atlantic Council, can be downloaded from the Industry Knowledge section on www.zurich.com.
