Escalating Cyber Security Risks Mean Businesses Need to Build Resilience

Escalating Cyber Security Risks Mean Businesses Need to Build Resilience
Cyber Resilience

11 of 11

This insight is part 11 of 11 in this Collection.

September 28, 2023 10 mins

Escalating Cyber Security Risks Mean Businesses Need to Build Resilience

Escalating Cyber Security Risks Mean Businesses Need to Build Resilience Hero image

As cyber threats continue to increase it is vital that businesses build ongoing operational cyber resilience to help assess, mitigate and transfer risk, and recover should an attack occur.

Key Takeaways
  1. Threat actors continue to develop cyber threats that are more sophisticated and often a challenge for businesses of all sizes.
  2. Cyber security is no longer a one-off, point-in-time exercise. Businesses need a model that continuously evaluates their cyber posture.
  3. Cyber resilience can be achieved through actions that include linear thinking that assesses, mitigates and transfers risk and then pre-planning to be ready for when things go wrong.

Technology touches nearly every aspect of business. As new threats continue to emerge and threat actors grow in sophistication, mitigating cyber risk and building cyber resilience are ongoing challenges for businesses of all sizes. During Cyber Security Awareness Month Aon will be highlighting four key elements within the cyber resilience journey – assess, mitigate, transfer and recover.

Global Cyber Leader Christian Hoffman and Cyber Chief Trust Officer Kate Kuehn begin the month by looking at how organizations can work to build strong cyber security practices — which can help build overall operational cyber resilience:

  • As we move into Cyber Security Awareness Month how can businesses stay ahead of growing cyber threats and build the right resilience model?

    Christian Hoffman: Cyber risk is business risk, first and foremost – therefore it is essential for risk buyers and chief information security officers (CISOs) to have a solid relationship with their boards and the C-suite and understand how their company’s business initiatives tie back to cyber security.

    That said, cyber security is no longer simply a point-in-time exercise —businesses need a model that reevaluates their cyber posture on a continuous basis.

    That’s because cyber evolves quickly, often faster than other risk exposures a business faces. Threat actors continue to enhance their tactics and businesses are encouraged to create a resilient structure for the best possible defense, and then continuously reevaluate it.

    Kate Kuehn: Let’s take the ransomware threat as an example. After five quarters of declining frequency in late 2021 and 2022, ransomware attacks rebounded in the first six months of 2023 with a 176 percent frequency increase, according to Aon data. We’re seeing many circumstances that may have caused that lull, but the risk was always present, and threat actors continue to figure out new attack methods. It was critical that businesses didn’t think that the risk was mitigated because it is back.

    Artificial intelligence is also being used to automate attacks, scan surfaces, and generate realistic-looking phishing content. AI has helped threat actors innovate and develop new attack strategies, enabling many of them to stay a step ahead of cyber defense strategies.

  • Building cyber resilience is a constant process. How should risk managers and CISOs use that thinking when building their cyber security program?

    Kate: You’re right that the journey does not end. The cyber resilience journey has a financial component from a risk transfer perspective, a technical component, a human component and there is also a compliance or regulatory component. You must consider all four when looking at the journey holistically and realize that, given the non-static nature of business, there will never be a beginning and end to resilience.

    Resilience can be achieved through actions that include linear thinking – starting with assessing and identifying where risk lives within your organization and its cyber impact. And then taking proactive steps to mitigate that risk. That’s where leveraging brokers and security controls to understand what a mature security posture can look like helps you go from assessing and identifying risk to actually creating risk transfer solutions like cyber insurance. And then making sure you have a holistic program in place and also pre-planning to be ready for when things go wrong.

    Christian: Cyber resilience also needs to be looked at from a holistic view of compliance, and whether you are doing the things to help ensure that your organization is not only cyber mature but also aware of regulatory and external pressures and artificial intelligence and how they're going to be impacting both opportunities for digital disruption within your industry and from a cyber perspective.

    From a risk transfer perspective, applying scenario-based financial modeling and applying that to building an insurance program that is bespoke to a particular organization, including the risks it has, the industry it is in, and the challenges it faces. Then ultimately, you’re using all that information to build an informed risk program, including transfer, retention, captives, etc.

  • Throughout Cyber Security Awareness Month we will provide deeper dives into the four points of the cyber resilience journey. Can we get your take on each point here?

    Christian: Sure, and it is important to note that organizations may start at any of the four points depending on where they are in their current cyber security journey:

    • Assess: Throughout an assessment, data and insights are collected and examined to understand how security controls directly impact balance sheet exposure. An assessment can then help you make strategic decisions on what risk to avoid, mitigate or transfer in the context of an organization’s mission, culture and risk appetite.
    • Mitigate: A gap often exists between understanding the technical risk of an identified vulnerability and the related financial exposure. A cyclical approach to risk mitigation can bridge this gap, enabling organizations to make risk-informed decisions and implement changes (or fixes) that can enhance security maturity and help maximize return on security investment.
    • Transfer: Genuine risk transfer and risk acceptance that safeguards the balance sheet is a cyclical, objective exercise that engages stakeholders from across the organization. Quantifying maximum probable cyber losses enables senior stakeholders to understand the magnitude of potential losses and what those losses might constitute. Armed with this knowledge, businesses can make decisions around risk-bearing appetite and the levels of risk transfer.
    • Recover: While a cyber attack itself might be short-lived, its impact can last much longer, and the road to recovery is often complex. Advance preparation is key to enable a business to activate a response quickly and successfully. A full recovery needs to quantify the impact and manage third-party and insurance claims to help ensure maximum recovery of costs and get to a goal of a cashflow-neutral position. Immediate response, containment and investigation need to be combined with assessing operational and financial impact, presenting insurable losses to advance the claims process, and supporting third-party and regulatory claims − all measured and aligned to business objectives.
  • Let’s also get your perspective on the human aspect of cyber defense.

    Kate: People remain the easiest target and also the best defense in cyber security. We are all too often the simplest way for an attacker to gain access to systems and networks, but we are also the first line of defense in identifying suspicious activity that can lead to a breach. As a result, cyber security first and foremost has always been about people, and that is even more important now that we are in an extended hybrid work environment.

    Nearly half of all compromises are due to human error; employees clicking on a link in a phishing email, reacting to a business email compromise message that falsely comes from an executive, and more. Training and creating a culture around cyber preparedness is incredibly important. HR leaders should be brought onboard to reinforce the importance of periodic training, and support frequent, clear communications.

    Christian: A key component of cyber defense is to create a top-down culture of compliance throughout the organization, inclusive of cyber security, working across all human resources specialties including onboarding, learning and development and change management. Every person in an organization must have an awareness and understanding of the role they play in the company -- cyber culture is often one of the best lines of defense for an organization.

    Make sure it is known that the organization takes security seriously and has a zero-tolerance policy on breaches of compliance and security protocols. Cyber security is about protecting the greater good. The end goal is to build a resiliency model where people approach cyber security in their everyday lives – both personally and in the business.

  • AI is changing cyber security for threat actors and defenders. What can businesses be doing to help counter that?

    Kate: The reality is that artificial intelligence has been around for more than 50 years, and the opportunities we see to enhance digital innovation and digital disruption are now being realized across many organizations, though many have been in production for over a decade. Whether it's helping prevent data leaks, make decisions, or supporting things like precision agriculture, autonomous vehicles, or helping relieve traffic congestion, AI is here to stay. And we're seeing a major shift in how we're leveraging AI from traditional machine learning to rapid advancements around generative AI and Natural Language Processing.

    However, as we continue to innovate with all types of AI, so do the threat actors. They are leveraging it as well to look for vulnerabilities and exploitations in code, to automate attacks, generate authentic-looking phishing content, to break passwords more quickly, and more. There are two sides to the coin.

    If companies don't start adopting more holistic methodologies around AI and how they approach looking at opportunities and risks from a cyber perspective, they may find they're going to miss the boat because many of our adversaries already are there.

    Christian: It’s important that we demystify AI and teach people about its evolving human threats to us. Meaning, we must understand how AI impacts human psychology and exploits human behavior, which in turn further can heighten the security risk.

    That’s why teaching people – professionally and personally – to think about resiliency and the steps that must be taken is so key. Every time someone sits behind a computer they should be thinking about cyber resilience as a way of life.

    As AI continues to become more mainstream, I also want to stress the importance of establishing business governance practice with the policies, procedures and controls to help ensure that AI models are developed in compliance with regulatory and ethical standards.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All