A friend of mine asked me the other day if the cyber-risk threat was a bit of flimflam designed to sell more insurance policies. When I asked him to expand on that most interesting comment he proceeded to compare cyber-risk to the Red Scare of the 1950s when families scrambled to build bomb shelters to protect them from a war that never came. The only ones who got rich back then were the contractors, he proudly concluded.
I found his question incredulous given the world we live in, not to mention his peculiar analogy. But realizing he didn’t work in the commerce stream, per se, quelled my impulse to slap him around.
So I shared with him some statistics that sobered him up quickly. I explained that cyber-crime costs the global economy over $400 billion per year, according to estimates by the Center for Strategic and International Studies; and each year over 3,000 companies in the U.S. have their systems compromised by criminals. IBM reports more than 91 million security events per year. Worse yet,
the Global Risks 2015 report, published in January by the World Economic Forum (WEF), included this rather stark warning: “90 percent of companies worldwide recognize they are insufficiently prepared to protect themselves against cyber-attacks.”
In 2014, a steel manufacturing facility in Germany lost control of its blast furnace, causing massive damage to the plant. The cause of the loss was not employee error, but rather a cyber-attack. So while property damage resulting from a cyber-attack is rare, the event was a wake-up call for manufacturers worldwide.
Cyber protection is not just about deploying advanced cyber threat technology to manage risk, but you also have to educate your employees to not fall victim to unassuming scams like “Phishing” which is stealing private information via e-mail or text messages. It remains the most popular con as far as stealing company data because it’s so painfully simple. Just pretend to be someone else and hope a few people fall for it.
While most people understand the threat to data privacy for retailers, banks, hospitals, and miscellaneous financial institutions, few realize that manufacturers are also vulnerable in terms of property damage and downtime. In 2014, a steel manufacturing facility in Germany lost control of its blast furnace, causing massive damage to the plant. The cause of the loss was not employee error, but rather a cyber-attack. So while property damage resulting from a cyber-attack is rare, the event was a wake-up call for manufacturers worldwide.
According to The Manufacturer newsletter, “the rise of digital manufacturing means many control systems use open or standardized technologies to reduce costs and improve performance, employing direct communications between control and business systems.” This exposes vulnerabilities previously thought to affect only office computers. In essence, according to The Manufacturer, cyber-attacks can now come from both inside and outside of the industrial control system network.
Manufacturers also need to be concerned about cyber-attacks that would, a) interrupt their physical supply chain, and/or, b) allow access to their system via the 3rd-party vendor, and then take steps to mitigate those risks. When Target and Home Depot were hacked several years ago, it wasn’t a direct attack on them but an attack on one of their 3rd-party vendors. By breaching the vendors’ weak cyber security, the criminals were able to access the larger prize.
To circle back to my friend’s weird fall-out shelter theory, it’s certainly a good idea to have a back-up plan in case one is hit by a proverbial “cyber-bomb.” But rather than hunker down and wait for the attack to occur, it’s critical to be proactive through employee education, vetting vendors’ cyber-security, and adopt, and continuously optimize, a formal cybersecurity program.
Risk Insiders are an unrivaled group of leading executives focused on the topic of Risk. They share their insights and opinions – and from time to time their pet peeves and gripes.
Each Risk Insider is invited to publish based on their expertise, passion and/or the quality of their writing. The only rules are no selling and no competitor put-downs.
The views expressed in this article belong to the author, Dan Holden, and are not an editorial opinion of Risk & Insurance.