By Yosha DeLong, Technical Director - Cyber
Threats posed to businesses, individuals and governments by cyber criminals are now considered to be among the most serious of global risks. By one estimate, it is projected that cybercrimes could cost over $6 trillion globally by 2021, double the $3 trillion toll in 2015.1
The nature of cybercrimes is changing dramatically. What began as simple “data hacks” soon morphed into such highly disruptive events as digital denial of service (DDoS) attacks and sophisticated malware threats. As organizations firmed up defenses, perpetrators launched new and even more disruptive attacks, such as 2017’s WannaCry and NotPetya ransomware attacks. It is not difficult to imagine future attacks targeting national power grids, transportation systems and the viability of companies large and small.
Insurance solutions may help businesses round out their cyber risk resilience strategies. Zurich recently unveiled a new Cyber Insurance Policy that brings together a suite of important coverages that can be customized to help businesses fortify their risk management strategies. But no matter what insurance solutions companies may select, risk managers, their boards and C-suites must accept that risk transfer alone is not enough. To harden against cyberattacks, companies must cultivate mindsets of cyber resilience across their corporate cultures.
I recently attended a classified federal government cybersecurity briefing conducted by the Office of the Director of National Intelligence, the U.S. Department of Homeland Security and the Federal Bureau of Investigation. It also included a post-meeting discussion led by the U.S. Chamber of Commerce with business leaders from many organizations in attendance. These individuals shared concerns about cyberthreats and discussed opportunities to improve collaboration between the government and private sector.
Participants also voiced concern regarding the cybersecurity postures of middle market organizations. Large organizations are more likely to have the most robust cybersecurity infrastructures; however, we’ve seen some of the biggest firms hit with damaging, widely publicized attacks. Middle market and smaller companies are at potentially greater risk. They face the same threats from network breaches and malware as larger organizations, but may lack the same defensive tools and resilience strategies.
Much discussion focused on the federal government’s support for the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. The NIST Framework consists of voluntary standards, guidelines and best practices that organizations can use to manage cybersecurity-related risks. The purpose of the NIST Framework is to assist organizations in determining which activities are most important to assure critical operations and service delivery.
The NIST Framework recognizes the interconnections that may exist among companies and their customers, vendors and suppliers. Any one of those connections can become a point of entry into a corporate network for a cybercriminal. And not all defenses need to be sophisticated firewalls and anti-malware programs. Sometimes simply training your employees to utilize good password hygiene can be one of your most effective first lines of defense. The NIST Framework offers a wealth of ideas that companies should consider as they formulate cybersecurity strategies.
For more information about cybersecurity resilience, visit the Zurich Knowledge Hub.
1. Morgan, Steve. Cybersecurity Ventures. “2017 Cybercrime Report: Cybercrime damages will cost the world $6 trillion annually by 2021.” 16 Oct. 2017. https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf