Allow me to introduce myself. My name is John Byrne, and I have over 30 years of experience as a financial risk assessment expert in the insurance industry.
The problems that small knowledge-based businesses encounter really became clear over the last 5 years, especially when I was researching my current start-up project, an InsurTech company providing a cyber risk management platform for cyber-aware SMEs.
I could clearly see the many problems these companies face, including the complexity of the cyber risk problem, the focus on technology solutions, the low level of adoption of people training and awareness solutions and a lack of understanding of the benefits offered by cyber insurance.
I formulated my strategy, called “The 5 Steps to Cyber Resilience”, using my experience and learning, as a simple strategy that will lead small businesses to cyber resilience. I then implemented it in my own business, and I am now teaching it to others.
My experience of cyber risk comes from both a personal and business perspective. In the late 1990s, when cyber insurance began as an add-on to professional indemnity policies, I was an underwriter at one of the leading companies involved in this area. Later in my career, when Chief Risk Officer of a Lloyd’s business, I was involved in setting the risk strategy, including any exposure to the emerging cyber insurance area.
On the personal side, in 2012, my LinkedIn account was involved in a massive data breach, and in 2013 my personal email account was hacked. I came very close to suffering a painful financial loss when my pension advisor received an urgent fraudulent email request, supposedly from me, to transfer my pension fund to a third party.
My response to these events was to change my passwords on all my online services and not to engage with social media platforms. In essence, I chose not to engage with the rapidly changing world around me that was becoming increasingly digital.
If compelling evidence was needed of the threat posed by cybercrime, the global ransomware cyberattacks of 2017 (Not Petya and WannaCry) provided it. My personal data was compromised in four of the largest global data breaches in 2018. This experience, along with the continuing data breaches occurring every year since then, convinced me that the world had changed dramatically and that living in denial was no longer an acceptable strategy. I decided to focus my attention on cyber risk.
Initially, I struggled to come to grips with its complexity. As you can see, I have a strong business background in risk management, not in technology. The technical side of cyber risk was not an intuitive subject for me. Even insurance, the area where I had relevant expertise, was challenging. Cyber insurance policies used technical, legal and insurance jargon. I could see why the take-up rate for cyber insurance amongst SMEs was low at around 10%. I decided that I would need to educate myself if I wanted to help others.
During the last 3 years of cyber focused effort, I have created many surveys, conducted many market research interviews and interacted with the SMB community in the UK and Ireland. This has helped me establish how the owners and managers of small businesses think about cyber risk and understand the problems they face.
The last few years have brought a dramatic change in cyber risk, and the pace is quickening. I believe that every business is a digital business now, and business owners and managers must accept that digital transformation has “changed the game” for businesses of all sizes. As a result, Cybersecurity, Data Protection, Privacy and Trust are now mainstream business issues. Most recently, in 2020 and 2021, the risk environment deteriorated further when the global pandemic brought enforced and unplanned working from home to millions of workers and dramatically increased cyber risks, both personal and corporate.
It is increasingly clear to me that cyber risk will continue to increase in the future and small companies will continue to be highly exposed. Cyber resilience is the objective that all small companies should aspire to, that is, the ability to withstand the inevitable cyber incident when it happens, because it really is a matter of “when” and not “if”. It is also clear that achieving Cyber Resilience requires a journey and that starting the journey requires a Plan. I hope to help small companies create their plan.
Cyber crime is the greatest threat to every company in the world. "
Ginni Rommety - CEO - IBM, New York - September 2015