A Game Of Cat And Mouse: Outpacing Cyber Threats Across Industries

Grappling With the Risks and Rewards of Digital Agility

Aon’s recent Global Risk Management Survey highlights cyber threats as the number one risk faced across industries.¹ Threats such as business email compromise, supply chain disruption, and sophisticated malware such as ransomware attacks, leave no organization – regardless of size or industry sector – exempt from cyber risk. And the risks are only compounded by the need to delicately balance the rewards and efficiencies of digital agility in a volatile market with the need for enhanced network visibility and security controls. Whether organizations accelerate rapidly through regulatory pressure, competitive motivations, or in response to environmental crises, they must assess their digital capabilities and cyber resilience to mitigate against the exposures created by change.

For many organizations in industries with significant potential for data exposure, the threat of regulatory penalties and potential reputational damage necessitates a high-level baseline of cyber maturity. In turn, this forces the need for continual iteration of digital infrastructure and security controls to combat increasingly adept hackers. But when organizations go too far or too fast in digital agility, their business infrastructure can become entirely based around complex supply chains, creating many gateways for security threats. Organizations that digitally accelerate by partnering with multiple external technology partners and third-party vendors may be putting their digital security at heightened risk, which must continually be mitigated. Unforeseen external factors such as global pandemics or uncertain geo-political climates also contribute to cyber risk and may accelerate digital transformation programs – creating additional threats to organizations with less mature digital infrastructure and cyber hygiene.

This article explores how these challenges are explicitly impacting the life sciences, financial institutions, technology, media and communications and food, agribusiness and beverage sectors.

Life Sciences – Security is the Best Treatment

Characterized by complex global supply chains, analytics firms, and clinical research organizations, the life sciences industry faces a multitude of cyber risks which often result in the targeting of critical data by threat actors.

Exfiltration of sensitive information and theft of intellectual property (IP) is a top concern in the life sciences sector, whether those threats come from malicious insiders, hackers affiliated with government or activist groups, or ransomware. After experiencing an uptick in mergers and acquisitions in recent years, the sector also faces security risks around migration of data when consolidating systems. But the risk is not just financial. Cyber security breaches in medical device and MedTech organizations can be life-threatening to those who need immediate or constant supply of equipment, such as pacemakers and insulin pumps.

For the life sciences industry, these concerns are not new. Many industry-leading companies have already pushed for significant investment in cyber security, including advanced tooling, as well as investments in people, development of processes and other resources. But there remains more work to be done for companies wanting to stay one step ahead of dangerous threat actors.

Services such as Red Team Testing and Adversary Simulation (along with traditional penetration testing) can help simulate an actual cyber attack and support the identification of threats and vulnerabilities before they become a reality. An organization’s security controls – especially those newly implemented – must be validated through testing and assessment. Insider risk assessments are also recommended to assess and mitigate the growing threat of malicious intentional insider threat actors.

Financial Institutions - Tight Measures for Valuable Data

Amid inflation, a climate crisis and extended economic contraction, financial industry leaders single out cyber threat as the most serious threat to financial institutions (FIs) and the wider banking system. As financial institutions are bombarded with attacks and breaches, they face frequently amended regulations which aim to establish heightened standards of cyber security and incident response.⁴

The intrinsic need for better cyber security in the FI industry is the primary driving force for its development. Given the significant volume of confidential personal identifying information (PII) and valuable financial data stored electronically, FIs have traditionally been subject to some of the most stringent regulatory requirements governing the privacy and protection of data. And the consequences of failing to adhere to these requirements continue to grow. Federal and state regulators are increasing the use of fines, penalties, and in some cases, criminal prosecution if organizations fail to comply and maintain adequate cyber security controls. This puts a significant pressure on organizations to implement cyber security measures that are continuously updated to comply with regulations as well as current cyber security best practices.

But for financial institutions, the reputational risk of a cyber event can dwarf even the most significant of fines, as the safety of assets is the foundation of any bank’s value proposition. Outside of the typical security controls, FIs often lead industry adoption of new cyber security trends, while striving to be regulatory compliant, avoid fines, and keep capital secure. FIs embracing innovation are looking towards hybrid architectures leveraging cloud-based solutions. But the migration to cloud or software as a service (SaaS) based services, rather than keeping information in house, may expose companies to a greater risk of cyber threats and data breaches.⁵

As with any technology innovation, the overall convenience and benefit of introducing new solutions to manage security while enhancing the consumer experience can also introduce new risks. Frequent assessments should be conducted by FIs to address cloud security infrastructure as well as third party assessments to examine the cyber security controls of vendors, suppliers, and partners. With constant evaluation of cyber security solutions, FIs can turn security threats into an opportunity for overall better cyber maturity.

Technology, Media and Communications - Calling for Better Security Systems

Systemic risk is one of the most critical concerns in the technology, media and communications sector as technology companies continue to grow and develop their service offerings. As technology companies are highly integrated with many buyer and partner systems, exposure is heightened due to internal systems being interconnected with third party vendors. Technology, Media and Communications (TMC) organizations need to maintain advanced cyber risk controls to adhere to customer expectations and avoid reputational risks. As consumer competition is rife, customers will simply switch devices or providers if they believe their privacy data is at risk. Application testing and source code review can help companies in the TMC sector identify potential “bugs” and vulnerabilities that could put customer data at risk.

The TMC sector is especially vulnerable to major exposures attributable to distributed denial of service (DDoS), malware and privacy breaches. Whether infiltrating SaaS products or stealing IP, attackers prey on intimately ingrained customer systems and network integration, data sharing, operational supply chain or the product outsourcing functions of organizations. This industry also faces pressures from insurers who are strict on best-in-class controls, including heightened scrutiny around network monitoring and privileged access management.

Ensuring the strength and effectiveness of not only internal network security but also the security of critical vendors and supply chain ecosystems is an important focus area across the TMC sector. It’s important to find a balance of security controls that allow organizations to have clear visibility across their cyber risk, whether the build-out of services is managed in-house or utilizing the support of third party vendors. All resources should be trained on security best practices, and frequent assessments and check-ins should be conducted with internal and external resources to ensure that all applicable security policies and procedures are followed.

Food, Agribusiness and Beverage - Protecting the ‘Secret Sauce’

Often viewed as a hazard class of business from insurers, underwriting scrutiny and pricing can be higher in the Food, Agribusiness and Beverage (FAB) sector than in other industries. This can lead to organizations facing a dilemma when it comes to business capital. In this sector, we often see a more conservative implementation of cyber security measures, which many times is met with heightened scrutiny of their organizational security controls by insurance carriers to even be considered for coverage. This forces businesses to then reassess their conservative position on the overall cyber program, and leads to a rapid bolstering of their cyber protection credentials in order to be deemed insurable.

There are many risks that can arise from the FAB sector’s class of business. Certain clients have significant IP in their recipes and formulations, which needs to be evaluated from a strategic perspective when considering protection of brand reputation. In addition, supply chain vendors, automated systems for distribution, internal invoicing and customer information are all at risk of being disrupted and encrypted by threat actors– leading to large business interruption costs. This risk is further compounded by the fact that many FAB organizations are dependent on legacy systems which may be at – or beyond – end-of-lifecycle and particularly vulnerable to attack.

FAB sector supply chains are often global, highly complex, and heavily automated with high stock keeping unit (SKU) volumes. Often operating on enterprise resource planning (ERP) platforms such as Oracle and SAP with built in lean/Just-In-Time processes, FAB organizations face disruption due to infiltrating digital supply chain information and ransomware attacks. These types of unexpected disruptions are an industry-wide concern, with unplanned downtime estimated to cost organizations $260,000 per hour, with some organizations reporting 800 hours of downtime annually.⁸

Due to high-profile ransomware attacks in recent years, FAB organizations are waking up to the necessity of upgrading their internal cyber security controls. But the growing sophistication of threat actors demands that progress should be made at a significant pace.

Base level security controls such as endpoint detection and response (EDR) and multifactor authentication (MFA) should be added and fine tuned to an organization’s specific environment. Similarly, FAB organizations should confirm the existence of specific incident response (IR) plans addressing what to do in the event of a cyber incident and updating, where appropriate. Conducting Employee Training/Phishing Simulations and continuously testing their systems and controls through Table Top Exercises, Penetration Testing and Threat Hunts also helps businesses to be more resilient to attacks. Not only will the enhancement of security controls aid in fending off and mitigating a cyber attack, it will also help FAB organizations better their position for coverage in a challenging cyber insurance market.

Planning Your Next Move In Cyber Security

Regardless of industry, organizations need strategies and effective skills in order to both simulate cyber threats and defend against them. Training employees on how to approach and respond to cyber challenges, while also gaining a comprehensive insight into the exposures of the business, will better enable organizations to acquire the right coverage. Accessing the right talent and insurance will mitigate risk – protecting businesses from present and future exposures.

Despite their respective level of cyber maturity, all organizations face growing challenges around the assessment of digital infrastructure, transfer of data, as well as the reality of cyber attacks and ability to recover. Businesses should engage in continuous review, improvement, and investment in security – guided by data – to gain a head start in the race for better cyber solutions.

In volatile markets, businesses cannot afford to stand still and leave behind the opportunities emerging technology presents to increase market access and improve efficiency. Instead, they must find a steadiness to their pace of technological change that enables them to manage the significant cyber risks along the way. Collaborating with an experienced global consultancy enables organizations to achieve industry-leading protection and readiness against cyber threats across geographies, industries and projects.

Organizations must give attention and consideration to:

• Incident response
• Insider threat risk assessment and robust testing
• Proactive services to mitigate the risk of cyber attack
• Preparedness and management of ransomware, malware and wire fraud attacks
• Improved risk allocation via a combination of cyber consulting and risk transfer through insurance options
• Developing employee value propositions and innovative digital recruitment processes to assist with cost-effective acquisition of diverse technology talent necessary to protect assets

As organizations face cyber threats, business and IT leaders are under increasing pressure to maximize return on security investment. Organizations have the responsibility to not only put cyber solutions in place to protect their business, but also to ensure the security of their people and customers.

How Aon Can Help

Cyber Loop Methodology
Cyber Threat Hunting
Adversary Simulation

Featured Topics on Cyber Resiliency

Cyber Resilience

¹ Aon’s Global Risk Management Survey, 2021
² Aon’s Managing cyber risk in Life Science organisations – a survival guide
³ Cybercrime To Cost The World 8 Trillion Annually In 2023, Cybersecurity Ventures, October 2022
⁴ New York State Seeks to Raise the Bar on Cybersecurity for Financial Services Providers, Including Certain Fintech and Cryptocurrency Companies, Lexology, November 2022
⁵ Cloud computing dependence imperils banks, FT, November 2022
⁶ Cybersecurity and data are key disputes concerns in 2023, BakerMcKenzie, January 2023
⁷ Cybersecurity in the food and beverage industry: A reference framework, Science Direct, October 2022
⁸ The Hidden Cost of Downtime in Food Processing, Worximity, October 2021