‘Emotional, smash and grab, volume’ cyber attacks a growing challenge to APAC firms, IT security expert tells StrategicRISK Australian risk clinic
A recent gathering of more than 50 risk and insurance professionals at Sydney’s Hilton Hotel heard that targeted attacks on specific industries or companies were a large and growing problem in the Asia-Pacific region.
Paul Black, Symantec’s leader of Incident Response Services in Asia Pacific, warned that a so-called ‘Ocean’s 11’ attack could quickly put a company out of business.
Black added that ransomware attacks – in which victims were held to ransom to regain access to their systems – were generally “emotional, smash and grab, volume” events that also had the potential to cause serious disruption within corporations.
He then gave some real-world examples that illustrated the threat this type of attack posed to companies.
Blindfolded, aware or prepared?
Black then went on to describe the three general organisational approaches to incident response:
The Blindfolded: “It will never happen to us” (organisation operates in ‘crisis mode’ but is not ‘crisis ready’);
The Aware: “We don’t want to be the next headline” (such as the retail industry in the USA);
The Prepared: “Attack is inevitable” (incident response plans are updated, not just left on the shelf).
Black’s presentation also examined whether traditional penetration testing had become an outdated practice and if employees were, as is commonly believed, the weakest link in a company’s cyber risk mitigation effort.
He advised that firms needed to concentrate their efforts on devising specific plans for specific scenarios, formulating technical response plans for all systems, and assigning clear roles and responsibilities.
‘Quality and passion’
In a subsequent panel discussion chaired by StrategicRISK’s Asia editor Jessica Reid, it was suggested that cyber risk insurance was an immature product in our region and, as such, the quality and passion behind the risk mitigation was of utmost importance.
It was generally agreed that cyber insurance policy uptake was still low in the region, especially compared to that in the USA.
It was suggested that there was little or no risk modelling for cyber risk, so it was difficult to accurately price premiums. “Experience comes with time,” one participant commented, “so exposure is the only way… and even that is hard to gauge.”
Other topics discussed included how risk managers could incorporate internal stakeholders into their programme and achieve buy in; breaking down the silos and bringing functions together; and how to reduce the disconnect between boards and their IT departments.
The StrategicRISK Sydney risk clinic was sponsored by AIG and Swiss Re Corporate Solutions.