As a chief information officer or chief security officer, it's probably not going to be good news when your phone lights up at 2am on a cool winter's night.
The world is shrinking when it comes to the digital economy. From sniper rifles1 to cars2 to petrol pumps3 to Barbie dolls,4 the internet of things (IoT) and the uptake of cloud computing is rapidly evolving and expanding. This brings with it a wealth of opportunity and convenience, not only to individuals, but also to business and government. Unfortunately there are those connected to the internet who would do harm and seek to steal from others who have embraced technological change and integrated their systems and businesses into the ever-changing fabric of the world wide web.
As is clear from our findings in the MinterEllison Perspectives on Cyber Risk 2015 report (the Report), cyber risk is of increasing concern in the modern business world. As part of the foundation survey on which the Report was based, we asked respondents what they perceived as the greatest exposure to their organisation resulting from a cyber attack. They answered as follows:
Clcik here to view image.
Our commentary in relation to these responses can be found on page 4 of the Report but it is clear that businesses perceive, and are concerned with, a broad range of potential losses flowing from a cyber attack.
In light of these results and coinciding with the launch of the Report, over the next few weeks we will post a series of blog posts setting out key areas of loss an organisation may suffer as a result of a cyber attack, and outlining some strategies that organisations can implement to assist with mitigating potential loss.
Areas that we will focus on include:
- negative brand perception and reputation loss
- business interruption
- loss of intellectual property
- regulatory action
- system repair and data loss
- personal injury and property damage
- breach of contract
- director's liability
- fraud, and
- ransom payments
We will then bring all of these losses together in an overarching case study.
General factors impacting an organisation's potential loss
Before we look in further detail at these key areas of loss, it is important to remember that an organisation's loss flowing from a cyber attack will depend on a number of factors including:
- whether data was appropriated and if so, the type – for example, was it personal information, confidential information or proprietary intellectual property
- the organisation's own culpability in terms of implementing adequate security mechanisms and procedures to detect and prevent cyber attacks;
- the organisation's insurance coverage;
- whether systems or data were destroyed in the attack, and if so, the types of systems or data destroyed; and
- who appropriated the data and their motivations for doing so. Businesses should keep these factors in mind as we make our way through our series.