The Cyber Crystal Ball: The human element is the weakest


Cyber risk is one of the greatest threats to security., An event in Zurich on 12 June 2018, hosted by the Institute of Risk Management Switzerland Regional Group, entitled “The Cyber Crystal Ball” outlined the latest threat vectors to cyber security and reviewed ways in which companies can act to protect themselves against cyberattacks. The event took place at the premises of XL Catlin, sponsors of IRM Switzerland Regional Group.

At the centre of the event was a tour d’horizon of the current cyber threat landscape by Rik Ferguson, Vice President of Security Research at Trend Micro.

Rik is one of the leading experts worldwide in information security. He is a Special Advisor to Europol EC3, a project leader with the International Cyber Security Protection Alliance and was inducted into the Infosecurity Hall of Fame in 2011.

Rik outlined the many new risks that have appeared in the last year arising out of both the analog and the digital worlds. He pointed to chemical spray drones in the agricultural sector and the ever-increasing use of RFID chips in logistics and the potential for ransom at key points such as airport baggage-handling, etc. Smart Cities are particularly prone to cyber attacks, where traffic and so much else is routed or controlled via the Internet.

Autonomous cars are also a serious potential cyber threat for example, where terrorists might hack and amend the manufacturer software and thereby weaponise whole fleets of cars.

Of special interest were his comments around human identity and how this can already be copied digitally. A little research and the use of artificial intelligence (AI) make it possible not only to study a person’s behaviour on social media but also to recreate a person’s digital identity. Rik postulated brand new social engineering techniques, which would make it possible to fake people’s digital identity in videoconferences.

He also drew the audience’s attention to the decline in ransomware attacks from 1.1 billion in 2016 to 631 million in 2017 and to a decline in disclosed breaches from 813 in 2016 to 553 in 2017. However, in these instances less is more, as the number of affected records rose from 3.3.billion to 4.9 billion.

Rik made the point that with the introduction of GDPR on 25 May 2018, a whole new ransom method was made possible, whereby criminals on the one hand will sell hacked data to third parties and at the same time ransom the hacked companies with a threat to inform the GDPR authorities of the hack, should they not pay up.

Some of Rik’s key takeaways were: assume compromise/fail securely; what you see is what you check; always consider the misuse case; listening is learning; security is a process not a destination; and security should be business focused.

After Rik’s presentation, Hendrik Jauer, Head of Financial Lines at XL Catlin, gave a brief presentation on cyber risk from the perspective of the insurer. 2017 saw a massive increase in submissions and new policies purchased. Every new loss situation that hit the headlines, for example Wannacry, seemed to produce additional interest in obtaining insurance quotations. In Switzerland, the interest was greatest in the logistics and life science industries.

A panel discussion involving Rik Ferguson, Martin Tang, Zsuzsanna Kunzst, Chief Legal Officer of XL Catlin and Hendrik Jauer followed the presentations. GDPR was a hot topic.. It is currently too early to tell what direction this will take, though for sure within a year there will be established cases and most likely some severe examples set in individual cases. Cyber security is both an IT security issue (20%) and a risk culture issue (80%), the latter involving the training and motivating of your employees not to hit the red button in the phishing e mail. The motivation best needs to stem from culture and self-preservation as opposed to compliance.

The evening ended with a drinks reception with the guests engaged in extensive networking on the top floor of the XL Catlin building, with stunning views over Zurich. Over 45 risk management professionals attended the event with the highest attendances so far from C-suite/Director level individuals (22%) and Head of ERM or Cyber or equivalent (20%).

Those who attended the NTT Security Information Security event in Frankfurt a week later on 19-20 June were delighted to listen to Rik again, this time as the opening keynote speaker at a summit with 600 attendees.