A global leader in cyber risks who is based at Marsh
HQ in New York has discussed his views on the subject after a visit to the New Zealand office last month.
Bob Parisi, managing director and national cyber risk product leader in the US, said the driver behind cyber was essentially people, processes and procedures.
He said the evolution of cyber risk had shifted just in the last three years to a dual pronged exposure and was no longer just a pure privacy or data breach exposure.
Cyber risk boiled down to two basic things, he said: “The risk of handling or collecting confidential information is one aspect.
“The other aspect is being reliant upon or dependent upon technology in the operation of your business.
“All cyber risk flows from those two things.”
The other evolution was the move from cyber risk as an IT risk to one for the boardroom as an operational risk with the size of the enterprise in question being irrelevant.
“Some of the larger breaches that have occurred in North America were by attacks based upon the SMEs used then as a bootstrap into their larger trading partners,” Parisi said.
He added: “Cyber risk is borderless. The risk of utilising technology and that technology causing harm or risk doesn’t look at country borders.
“And what we’ve seen over the last 10 years is a consistent drum beat by the traditional P&C markets that they want cyber risk to be handled by cyber risk policies.”
Meanwhile, a new report by PwC
on New Zealand insights of their annual Global State of Information Security Survey
showed Kiwi organisations were getting the message of just how high the stakes can be but there was still a long way to go.
While the figures showed they had far less confidence in their own information security activities (as well as their suppliers) than they did last year, PwC
cyber practice leader Adrian van Hest said that was likely a more accurate picture of real versus perceived risk.
Last year, 83% of New Zealand respondents were confident or somewhat confident that their organisations’ information security activities were effective, compared to 65% this year.
The drop in confidence was even wider in the security activities of New Zealand organisations’ partners and suppliers – last year 82% of New Zealand respondents were very or somewhat confident, compared to 57% this year.
As more organisations adopt risk frameworks, they are gaining a better understanding of their risks and what they need to do to manage them. In recent years, the survey data in New Zealand has shown that high confidence doesn’t necessarily match the actual measures taken to secure information.
“The reason for this, at least anecdotally, is that some organisations say that no one has told them something is wrong so they choose to believe there is no issue,” said van Hest.
“Another reason is many New Zealand organisations trust their suppliers and believe that they will simply do the right thing when needed – despite the absence of or even the specific exclusion of security obligations from contractual agreements.
“When called upon to conduct breach assessments in New Zealand, we have identified a significant issue about 90% of the time,” van Hest continued.
“What is alarming is that our data indicates that two-thirds of breach notifications now come from outside of the organisation. The reality is until you have invested time in understanding your current state – and that this critical information is driving your security activity – you can never truly know.”
Van Hest said there was no ‘magic bullet’ for effective cyber security, and it was a journey towards a culture of security.
Like Bob Parisi, he said: “It is a path that starts with the right mix of technologies, processes and people skills.
“The organisations that will flourish in tomorrow’s interconnected world are those which recognise that good cyber security is good business; and by managing their risks, they can use digital technologies and their information assets to realise opportunity with confidence.”