Cyber-related crimes cost New Zealand enterprise an estimated $625 million in 2011 – and that’s probably conservative estimate. Reporting cyber crime is, like our awareness of the problem, well behind the eight ball.
On the other hand, cyber risk and privacy insurance now pulls around US$1 billion year in premium income for United States insurers. It probably garners similar levels of income in Europe. The US-based Betterley Risk Research Report thinks “this line of insurance could represent the biggest new product opportunity that we have ever seen”.
The internet, now the life stream of all global communication and commercial and social enterprise, is the feeder to the world’s growing cyber threat. Five billion devices access the internet. By the end of 2020 there will be 50 billion.
Businesses, government and every other form of enterprise can operate entirely within the internet presenting literally millions of opportunities to access and corrupt organisational data. Cloud computing will further change the way in which enterprises operate and use IT technologies – causing more stewardship and security issues around the cloud’s safe housing of data of every kind.
The internet effectively controls the world’s facilitation of production, distribution and exchange. It does what communism failed to do as the controlling infrastructure of our daily working, political and social lives. The internet is as critical to the world’s operating infrastructure as water, energy, transportation, finance and food.
As cyber communication facilitates commerce and all manner of organisational activity, so it also now magnifies the impacts of human error and enhances the processes and proceeds of crime – commercial and political. “Cyberfrauds, cyberspooks, cyberfools and cybermischief-makers,” as Britain’s The Economist magazine calls them, stalk the earth and extract an increasingly heavy price from their pursuits.
What is cyber crime? Global accounting firm PwC defines it, for the purposes of its annual Global Economic Crime Survey, as an “economic crime committed using computers and the internet. It includes distributing viruses, illegally downloading files, phishing and pharming (see box story) and stealing personal information like bank account details. It’s only cyber crime if computer, or computers, and the internet play central role in the crime, and not an incidental one.”
According to US security and privacy claims, global cyber attacks increased 2000 percent in the past three years with more than 49 percent of them originating from the Asia Pacific region. staggering 75 percent of organisations in this region experienced cyber attack in the past year.
Globally, cyber crime was the fourth largest economic offence for companies last year. “Little wonder the World Economic Forum ranked cyber risk the single largest threat to global infrastructure for 2012, ahead of financial collapse, natural disaster or traditional terrorism,” says AIG Insurance NZ chief executive Cris Knell.
New Zealand business leaders must now act to reach the same level of preparedness (for cyber risk) as their counterparts in other countries, according to Knell. “Businesses worldwide are responding to the cyber crime threat. Our senior management and boards must quickly attain global standards in safeguarding their data and securing customer confidence,” he adds.
PwC agrees that business leaders should worry more and get to grips with the issues, practices and cyber risk drivers. According to its survey, cyber crime is on fast growth track in New Zealand. We rank fourth out of 78 countries for reported economic crime. That puts us ahead of Australia, the global average and Asia/Pacific nations generally.
Almost 50 percent of PwC’s local survey respondents experienced some form of economic crime in the previous 12 months, up from 42 percent the year before. And almost 63 percent of those respondents think the risk of local cyber crime is increasing.
Cyber crime is now New Zealand’s third most prevalent economic crime. And it is threat for which New Zealand businesses are “woefully unprepared”, according to industry experts like AIG vice president Ian Pollard, who launched his company’s new and comprehensive cyber insurance product, CyberEdge, last July.
Where do cyber threats come from? From range of intentional or unintentional, targeted and non-targeted sources. The perpetrators are often disgruntled employees, untrained IT users, hackers, virus writers and local and global crooks. And while most threats come from outside an organisation, that trend too is changing according to PwC.
Cyber risk exists in virtually every part of an organisation, not just the IT department. Operations, sales and marketing and finance departments are all risk prone. Businesses and organisations, big and small, are exposed and vulnerable. And not every cyber risk is perpetrated by evil doers.
Malicious attacks include:
• cyber theft and fraud – including online banking fraud and credit card number theft;
• cyber sabotage and terrorism – when groups access the internet causing disarray and financial damage by hacking and spreading viruses;
• cyber warfare – government-to-government cyber attacks;
• industrial espionage – stealing confidential commercial information and intellectual property;
• hacking – by which programmers attack system flaws to access computer systems and data;
• insider attacks – often involve disgruntled employees taking revenge or acting fraudulently.
Non-malicious attacks include:
• accidental but large scale systems failures – caused by systems flaws or natural disasters;
• human error – data accidentally transferred or misplaced;
• misuse of access devices such as smart phones and tablets.
Organisations need defence plans and to be prepared for and manage both malicious and non-malicious threats to their IT infrastructures. The risk is fast growing as is the cost of failure to prepare. According to AIG’s Pollard, the average global security and privacy claim in the US is now around US$5.2 million.
There’s little local data on specific claims costs, mainly because so few New Zealand companies buy cyber risk protection insurance. About 25 percent of US companies buy cyber risk policies. The figure is probably around one or two percent in New Zealand. That is because, in large part, there haven’t been any specialist policies tailored to the cover. But it is also because of the commercial sector’s seriously low awareness of the issue.
Some basic covers apply under traditional insurance policies such as general liability, property, fidelity/crime and professional indemnity. But these traditional forms of insurance don’t adequately cover the world’s new cyber and privacy risks. They don’t, for example, cover revenue loss resulting from an intangible event like cyber attack.
New Zealand companies will soon face plethora of potential cyber and privacy infringement costs including operational expenses, revenue loss, reputational damage and legal bills. According to the US Unity Security Index, 75 percent of New Zealanders would stop dealing with an organisation if they believed their personal data was compromised by the organisation holding that information. And more than 30 percent of them would consider taking legal action.
Yet, according to PwC research, 40 percent of New Zealand employees never get any cyber security training. It is no surprise, therefore, that New Zealand businesses are considered among the world’s most vulnerable to cyber attack.
The problem starts at the top. Boards are particularly ignorant of their companies’ exposure to cyber risks. They seldom ask senior management to provide comprehensive and consistent audit reports on IT security, employee security practices and the effectiveness of their risk management strategies. “Sixty percent of New Zealand companies use less than fiv