We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Cyber Risks – How They Can Originate from Your Business Network

Posted by Sek Seong Lim 16 November 2016

On October 21, 2016, a large scale cyber attack took down many websites worldwide. The online operations of many prominent organizations were disrupted, with experts calling it an unprecedented attack.

Soon after, a telecommunications company in Asia experienced service outages affecting its home broadband customers. The internet connection disruptions were caused by targeted distributed denial-of-service (DDoS) attacks on its domain name servers (DNS). According to the telecommunications company, the attacks came from their own subscribers’ infected devices; which were turned into zombie machines that repeatedly sent queries to, and thus, overwhelming their DNS.

As companies become increasingly reliant on digital value creation chains, cyber attacks become an even greater threat to business operations. In today’s digital world, customers, business partners, and suppliers are interdependent in a highly integrated ecommerce infrastructure, and the effects of a cyber attack can be felt across the entire commerce network. Therefore, a collaborative effort is required to safeguard all parties’ online interests.

A targeted attack in which users’ devices are seized, like in these cases, can cause widespread service disruptions. The consolation, if any, was that there were no known cases of data breaches. However, it opens up the possibility for hackers to launch similar attacks, and steal or wipe out data and files from networks, and even from mobile devices.

Some catastrophic-scale consequences of cyber attacks may include:

  • Theft of data and intellectual property by hackers who gain access to organizations’ internal digital environments.
  • Control systems (SCADAs) may be seized and controlled by hackers. SCADAs are used in most process, manufacturing and utilities sectors. Many are also deployed to control essential building management systems. Many SCADAs may be too old to have their digital security enhanced to prevent hacks.
  • Stolen information or hijacked systems may be held ransom by cyber criminals. Alternatively, they may be used to commit fraud or money-laundering activities.
  • Shipping documents and transportation manifests may be stolen or altered, including for fraud or terrorism activities.
  • Valuable or sensitive goods may be hijacked or stolen.
  • Shipping vessels, aircraft, trains, or other vehicles may be hijacked or commandeered for terrorism activities.

Organizations can take proactive measures to better protect themselves and their business networks; some examples are listed below:

  • Subscribers and organizations need to patch their routers, firewalls and core network devices.
  • Subscribers and organizations should seek help from telecommunications service providers and cyber security firms.
  • End-users should also install cyber threat detection and prevention software on their devices; like antivirus, antimalware, endpoint protection and personal firewall
  • Increase end-user training and awareness of cyber risks – like establishing better understanding that widespread wireless or WIFI usage increases the organization’s exposure to potential cyber hacks.

In addition, it is imperative for organizations to understand the importance of devising a robust and resilient business and digital organizational framework; as doing so has a positive impact over time on business value creation:

  • Key to determining and prioritizing risk mitigation measures.
  • Helps to define the potential cyber threat scenarios.
  • Determines the impact, for example on reputation, liabilities, business, operations, supply chain, digital assets, physical assets, financial assets, and other stakeholders.

In conclusion, organizations and individuals can, and should, do their parts to protect themselves and their business networks against cyber attacks. For example, by implementing and ensuring adherence to information and cyber policies; as well as taking appropriate measures to mitigate risks. However, even with the best defences in place, cyber attackers can still succeed, and their repercussions may be catastrophic. Organizations should therefore look beyond merely trying to build up cyber defences, but also plan for responses to attacks; for example, by having in place procedures for incident responses, crisis management, crisis communications, business continuity, and information and communications technology (ICT) disaster recovery planning (DRP) .

Marsh Risk Consulting can assist you to identify, evaluate, and rank risks. With the analysis, we can work with and guide your management and internal ICT teams to devise the most effective ways to mitigate these threats.

Sek Seong Lim

BCM & Resilience Services Leader for Asia, Marsh Risk Consulting