By Randy Boss, CRA, CRM, MWCA, SHRM-SCP
CYBER RISK 2020
Applying the five steps of risk management to cyber exposures
Remember the 1983 movie WarGames, in which high school student David Lightman (played by Matthew Broderick) hacked into the “computer company”? He soon found out that this “computer company” was actually a military installation running a missile-command supercomputer called WOPR (War Operation Plan Response).
Poor David almost set off World War III by asking the computer a seemingly harmless question: “Do you want to play a game?” Unfortunately, the game—Global Thermonuclear War—was real, but of course the computer didn’t know the difference. It was just happy to have someone to “play” with.
A hacker today probably couldn’t set off a thermonuclear war. But that doesn’t mean hackers couldn’t still cause a lot of damage, waste a lot of money, and involve a boatload of grief. Today cyber hacking isn’t just a game; it’s an industry.
For every big case we hear about in the news, thousands more are occurring.
When I started my career in 1977, there was no risk of a cyber breach because there were few computers, no cell phones, not even fax machines. I did have an electric typewriter, a push-button telephone, and an AM-FM radio on my desk playing “Walk This Way” by Aerosmith. All of these were pretty “unhackable” at the time. But when Steve Jobs, Steve Wozniak, and Ronald Wayne formed Apple Computer in 1977, the cyber game changed, and not always for the best.
Fast forward 43 years to 2020 and we now have the internet of things: multiple devices, both personal and business, sending and receiving data 24/7/365. The internet was born in 1983 and became publicly available in 1991. In 1984 Bill Landreth, a.k.a. “The Cracker” and maybe the first known hacker, was convicted of hacking NASA and Department of Defense computer systems. Then it was open season, and it hasn’t slowed down since.
All this data flying around has created an opportunity for bad people to intercept it and use it to do bad things. To some it’s a game, but to others it’s their job … and they are very good at. Here are some of their successes.
According to Forbes, over the past 10 years there have been 300 data breaches each involving the theft of 100,000 or more records. Data breaches exposed 4.1 billion records in the first six months of 2019 alone. Cyberattacks are now considered to be among the top five risks to global stability, as reported by the World Economic Forum. Facebook had 540 million user records exposed on its cloud server, while Yahoo holds the record for the largest data breach of all time with 3 billion compromised accounts.
According to a new FBI warning, hackers are now targeting the U.S. automotive industry. Can you imagine what they could do if they hacked a Tesla while it was cruising down the highway on auto pilot? Add to that the risk of a hacker taking over a medical device like a heart pacemaker or an insulin pump. What sounds like the murderous plot of a Stephen King or Robin Cook novel is now close to becoming a reality. And for every cyber breach we hear about in the news, thousands more are occurring.
How do we protect ourselves? As with everything we do in business, we need a process. Imagine that your computer network is like your house. If you leave the doors unlocked or if your idea of security is hiding your key inside a hollowed fake rock, then sooner or later someone will enter your house. They may steal a few items and leave; you may not even notice. But then they could return and wipe you out. It’s the same as with your computer network. Establishing a weak password (“No one will ever guess it’s 1-2-3-4”) is like leaving a key inside the fake rock.
This brings us to the five steps of risk management, a proven process that can be applied to any risk we face. The steps are:
Identify the risk. One of the most effective ways to analyze risk is to create a checklist. We use one called IQRM (Intelligence Quotient for Risk
Management™), a quantifiable risk assessment tool that uses a systematic method to help us understand the risk issues facing a client. It also benchmarks the client’s performance against ideal industry standards.
Each module has been crafted by one or more subject matter experts. It shows how effective our client is with backup procedures, phishing training, use of encryption, investment in information security technology, robust password requirements and more.
Analyze the risk. What kinds of threats is your client facing, and how many? Is the client checking its passwords against what the experts recommend? What other threats are companies like our client seeing?
Control the risk. Recommend that your client work with an IT firm that will monitor its system 24/7 and update it because cyber thieves keep changing their tactics. Encourage your client to use stronger passwords, two-factor authorization, and employee training.
Finance the risk. Cyber insurance can be essential in helping your client recover after a data breach, addressing costs that can include business disruption, revenue loss, equipment damage, legal fees, public relations expenses, forensic analysis, and those associated with legally mandated notifications. A lesser-known benefit of cyber insurance is the important role it can play in protecting your client long before a breach occurs.
Measure the results. Did your client have a breach? Any close calls? How much time and money did the client spend to control this risk? What needs to be adjusted?
Then we start the process all over again. The risk management process is circular, not linear.
As risk advisors, we owe it to the businesses we work with to make them aware of this emerging risk and the ways they can protect themselves. When you recommend a proven process like the five steps of risk management, they will be glad you did.
Randy Boss is a Certified Risk Architect at Ottawa Kent in Jenison, Michigan. As a Risk Architect, he designs, builds and implements risk management and insurance plans for middle market companies in the areas of safety, work comp, human resources, property/casualty and benefits. He has over 40 years’ experience and has been at Ottawa Kent for 38 years. He is the co-founder of emergeapps.com, web apps for agents to share with employers. Randy can be reached at firstname.lastname@example.org.