Being a small and remote island is no defence for Bermudian businesses against cyber attacks.

That is the warning from Brett Henshilwood, Deloitte’s Bermuda enterprise risk services director, following a report by the global consulting firm that suggests that virtually all organisations will be attacked via the internet at some point.

Deloitte Global found that today’s C-suite must deploy a cyber-defence that is secure, vigilant, and resilient. Entitled ‘Global Cyber Executive Briefing’, it concluded that “virtually all organisations will be attacked so C-level executives need to better understand their biggest threats and which assets — typically those at the heart of their business’s mission — are at the greatest risk”.

Mr Henshilwood said: “It is easy to assume that being tucked away on a small island like Bermuda, we are at less risk from cyber-attacks; but cyber criminals operate without borders and organisations within Bermuda must be prepared and ready to respond in the event of an attack.

“In a highly connected world it is not possible to be 100 percent secure against an attack, but it is possible to reduce the impact to an acceptable level. Organisations can become more cyber resilient by understanding the threats they face; detecting a threat at an early stage; and having sufficient response plans in place in the event of an attack.”

The report examines threats and vulnerabilities across seven key sectors: high technology, online media, telecommunications, e-commerce, insurance, manufacturing, and retail. It outlines potential for attacks, reasons and possible scenarios and potential impact to business.

“People think cyber-attacks are confined to specific sectors. In reality though, any organisation that has valuable data is at risk,” said Ted DeZabala, cyber risk services leader, Deloitte Global.

“Not a single sector is immune to this. Knowing the value of your data, the value of that data over time, knowing the potential attacker, their resources and motivation, are some of the first steps in making business decisions about adequate protection.”

According to the report, being secure starts with tackling weaknesses in applications and reinforcing the digital infrastructure. Organisations that are vigilant should subsequently be alert and identify any attacks as early as possible. Being resilient involves early-stage identification of the direction of a threat, the reason for such threat and how it will manifest itself. Rapidly detecting an attack can spur an organisation into action so it isolates and removes the threat.

Highlights of the report, including threats by sector, include:

• High Tech: Consistently a target for attacks with the biggest threats being loss of intellectual property (IP) and hacktivism (the use of computers and computer networks to promote political ends, chiefly free speech, human rights, and information ethics.) Threats are also used as a stepping stone to attack and infect others.

• Online media: Has the greatest exposure to cyber-threats with ones that cause reputational damage topping the list. Threats are also used as a stepping stone to attack and infect others.

• Telecommunications: Facing increased, sophisticated attacks, including by Government agencies using Advanced Persistent Threats (APT) to establish covert surveillance for long periods of time. Another critical threat unique to the telecommunications sector is the attack of leased infrastructure equipment, such as home routers from internet Service Providers (ISPs).

• eCommerce: Database breach — i.e. loss of customer data, including names, physical addresses, phone — and online payment systems are vulnerable areas often attacked. Denial-of-service attacks also top the list, particularly by hacktivists that want to disrupt an organisation in a highly visible way.

• Insurance: The sector typically has a lot of sensitive data to protect. Cyber-attacks are growing exponentially as insurance companies migrate toward digital channels with sophisticated attacks combing advanced malware with other techniques such as social engineering. While current attacks appear short-term the report predicts the number of long-term attacks may be silently growing.

• Manufacturing: Increasing in the amount of attacks by hackers and cybercriminals as well as through corporate espionage. Types of cyber-attacks in manufacturing vary widely from Phishing to Advanced Malware, targeting not only IT but also connected Industrial Control Systems.

• Retail: Credit card data is the new currency for hackers and criminals. Insider threats in retail are increasing, giving rise to a new breed of criminals that focus on stealing information — especially the valuable cardholder data that flows between consumers and retailers.

The Deloitte findings are in line with those of top Bermuda bankers who say they expect cyber attacks to happen.

This was among the findings of the fourth edition of Insights includes the 2014 KPMG Banking in Bermuda Survey and the Roundtable: Discussions with the CEOs of Bermuda banks, reported on in yesterday’s Business section of The Royal Gazette.

KPMG noted that cyber security and the resultant business and reputational risk have made their way onto the board, audit committee and C-level executive agendas.

BCB CEO Peter Horton told the round-table: “This is a key reputational risk faced by banks globally. It is vital to maintain the trust of customers, and banks need to do what they can to ensure this. Even small banks must be aware and be prepared for attacks that happen on a daily basis.”