Cyber and Physical Threats Are Colliding

Source: 2015 Ponemon Global Cyber Impact Report, sponsored by Aon

In-Depth New Technology, Big Opportunities  The benefits of Internet connections are hard to overstate. For businesses, the Internet of Things offers the promise of quantified everything. Employers will be able to track productivity and leverage metrics to uncover new efficiencies. With connected sensors underpinning every square inch of an organization’s footprint — once-siloed data sets can be integrated, correlated and cross-referenced — it will become easier to identify new efficiencies and deliver new value. See Also: Cyber Threats to Watch This Year The benefits are immense – but so, potentially, are the risks. “As we move into having smart workplaces and offices, you’re really talking about a technology backbone that’s driving an organization,” says Stephanie Snyder Tomlinson, a cyber insurance expert at Aon. “What impact can that have on a business? What are the potential losses to an organization if you have a network security breach that results in property damage or bodily injury?” Digital Threats Turn Physical An unfortunate side effect to some of the highest-profile recent cyber breaches is that many people have come to regard cybercrime as solely a privacy issue. It can be far more complex than that. “If there is a failure of network security or systems,” Snyder Tomlinson warns, “there could be a resultant business income loss. It could be intangible loss in terms of loss of data information assets or, especially as we move into relying more heavily on technology and the Internet of Things, it could be tangible loss, as well.” You don’t need to look very far to get a sense of the potential risks to property and other physical assets when the Internet of Things begins to help run a workplace. As organizations grow increasingly dependent on technology to run their businesses and offices, the attack surface for cybercriminals increases dramatically. Each new device represents an additional access point for hackers. The scenarios that could result can sound like something out of a science fiction film:

• Does your building have computerized entry or elevator systems, with smartcard keys for access? Hackers could take control and lock down your building, trapping employees and visitors inside.
• Computer-controlled electricity or water supplies can be shut down, rendering working impossible.
• Connected thermostats are becoming increasingly common and could be taken over — shutting off heating in winter or air conditioning in summer, driving temperatures to unbearable levels and making your office unusable.
• Logistics servers managing orders and deliveries could be hacked, with real orders canceled, false orders placed or essential supplies redirected to the wrong locations, disrupting your supply chain.
• Factory robots could be set to destroy rather than create your products.
• HVAC systems in a company data center could be overridden, causing a rise in temperature that could render network servers inoperable.
• Fire alarm systems could be turned off just as real-world arsonists attack.

These may sound far-fetched, but are already reality. A cyber attack on a German steel mill in late 2014 caused immense physical damage after hackers installed malware on the network. “It caused the blast furnace to be unable to be shut down, leading to massive property loss,” Snyder Tomlinson says. “The property loss arose from a network security breach. It’s a perfect example of the potential risks when you have companies that are relying on technology to run their business.” Understanding the level of risk “There’s always going to be some type of access point into a network, in one way, shape or form,” Snyder Tomlinson says. “You can have the best network security possible, but as everybody says, ‘It’s not if, it’s when.’” Consequently, many companies are revisiting their approach to cyber security. Organizations previously concerned only with safeguarding client privacy and personally identifiable information are suddenly contemplating a broader loss spectrum. “We’re seeing more interest in cyber insurance from manufacturers and critical infrastructure companies, because they recognize that their exposure isn’t necessarily just about private information or the liability arising out of a breach,” Snyder Tomlinson says. “We’re going to continue to see growth in the breadth of cyber coverage over the next several years, where we’re getting into the true property space, because there is the potential to have a property loss arising out of a network security breach or a systems failure.” Snyder Tomlinson says this is why businesses need to take a holistic view of their cyber vulnerability — “Cyber risk flows through an entire organization.” A good cyber risk management framework has three key elements, she says:

1. Preparation – Identify and quantify your cyber risk exposures. Develop a breach response plan and business continuity plan. Consider taking out a cyber insurance policy, which can assist with the potential balance sheet impact of a breach.

1. Practice – Speed of response can be vital to limit damage in the event of a breach. Identify the key stakeholders within the organization and perform a tabletop scenario exercise to ensure everyone knows the role they need to play should an incident occur.

3. Execution – Engaging with appropriate vendors is critical to successful execution. An organization should have relationships with defense lawyers, a public relations firm and a computer forensics firm so that a firm can work with it to mitigate loss in the event of a breach.

With the rise of the Internet of Things, cyber crime is no longer simply about loss of information. Increasingly, you need to consider the possibility that cyber could be just as physically disruptive to your business as a natural disaster or a terrorist incident. This is no longer simply a data issue — today, property and, potentially, lives could be at stake.