Cyber is among the most rapidly evolving of all organisational risks. This is the risk of financial loss, disruption or damage to the reputation of an organisation from failure of its information technology systems. The Malta Association of Risk Management, MARM, organised a half day cyber risk conference on 9 March, that explored the growing challenges of cyber and focused on risk-based solutions, introducing delegates to the latest techniques and contacts to manage these risks.
MARM’s president, Ian-Edward Stafrace, explained that while data breaches on larger companies tend to dominate the headlines, small and medium-sized businesses are increasingly vulnerable. According to experts, their exposure is much the same as that of larger companies, yet many mistakenly believe they are too small to be attacked and may not have adequate security or response capability.
Even when implementing security measures, there’s a chance that a hacker can find their way in, and steal sensitive or proprietary information. A data breach can lead to major negative repercussions for the company.
The EU under new incoming cyber security and data protection rules is expecting European companies to take data privacy seriously and take action to improve their ability to withstand cyber-attacks. The first speaker, Dr. Antonio Ghio, explained the incoming obligations and risks arising from the new EU General Data Protection Regulations. These for example, will impose 72 hour notification requirements for any data breach incidents and fines for breach of regulations of up to €20 million or, in case of large enterprises, up to 4% of their annual worldwide turnover.
The risk is driven by increasing reliance on technology as organisations become more aware of the potential of being better connected and making more use of data. Mr Alan Alden outlined Payment Card Industry (PCI) Data Security Standard (DSS) requirements and how these can be met. PCI DSS can be considered a best practice even where data held or processed is not specifically credit card related.
Mr Donald Tabone provided his perspective and experience on the state of security as Group Chief Technology Officer of a leading local media organisation. This was followed by Mr Gordon Micallef on how to carry out a cyber risk assessment and develop a management plan.
Mr Keith Cutajar focused on data breach incident response planning with various case studies helping delegates appreciate how such would work in practice. Worryingly, most firms will not know they have experienced a cyber breach until an external source notifies them. Breaches reportedly take on average 7-8 months to detect.
Having considered the threats, controls and planning, Ms Fiona Borg, Chief Operations Officer of the event sponsor Mediterranean Insurance Brokers, then explored how the residual cyber risk can potentially be financed through insurance.
As operations become more sophisticated, so too do their vulnerabilities, especially now that hackers are prepared to invest time and money in order to succeed. Increased technology reliance leads to increased business interruption potential following a cyber-incident, including incidents occurring at third-party suppliers.
2015 saw a significant rise in ransomware that prevents users from accessing their systems or data unless a ransom is paid to obtain the required key.
To the hacker it is a crime with a low chance of getting caught, with some offering their “services” on a consultancy basis to other criminals. They are getting better at social engineering, finding new ways to get people to click on links or open the attachments that will expose them to malware. A recent trend is the so called “bogus boss” emails with scammers creating fake but plausible emails purportedly from a boss or manager, requesting that a staff member make a payment to a new supplier.
Businesses now operate in an environment where boards must take responsibility for the risk. Recognising that cyber crime is changing and set to increase in frequency and sophistication will help companies deal with its threat. Cyber security ultimately has to become a part of an organisation’s culture and it must touch every segment of that business.
Fiona Borg MIRM, DIP CII, CBCI
Chief Operations Officer
T. +356 234 33 205
M. +356 7942 1238