Understanding Cyber Risk and how to Manage it
Cyber risk is the largest business risk in the world. According to the Allianz Risk Barometer,no industry or sized company is immune from the negative effects of a cyber incident. So what is a cyber risk? Any event that can lead to data breaches, financial loss, reputational damage, and disruption of operations resulting from the failure of an organization’s technologies and procedures. Directors and officers have a fiduciary duty to protect the business assets. However, most boards are mystified by cyber. This is simply no longer an option.
Without proper cyber risk management, organizations open themselves up to a variety of cybercrime, with consequences ranging from compromised personal data, to economic and reputational fallout. As the privacy and data security landscape changes in the US and Europe, companies are feeling the effect of poor compliance. Marriott’s recent breach that saw hackers steal 339 million guests’ data landed them with a fine of almost £100 million. British Airways was also fined £183 million over their 2018 breach. With GDPR enforcement in full swing, businesses can no longer take a passive role when it comes to cyber risk management.
In order for organizations to manage these risks, they must first assess the vulnerability of their digital assets in connection with their people, processes, tools and systems. Cyber risk is a quantifiable metric if done correctly, that allows business to see everything that touches their digital assets and this allows businesses to formulate an effective strategy that will increase the cyber resiliency of their organization.
Typical Cyber Risks Businesses Face
- Ransomware is a type of malicious software designed to scramble your data and then extort a ransom to release an unlock code. Ransomware is already on track to hit $11.5 billion in damages for 2019.
- Cyber espionage steals classified, sensitive data or intellectual property without the knowledge of the owner, in order to gain an advantage over a competitive company or, more concerningly, government entity.
- Employee negligence and poor cyber training is responsible for many data breaches. Negligence includes poor passwords, poor hygiene of personal device, or leaving a work phone or laptop at a cafe. While protecting the technology of a company is crucial in protecting data, so are developed processes, procedures and staff training.
- Third-party risks accounts for 63% of reported breaches. The organization that owns the data will bear the legal and reputational ramifications of the breach. Target settled its 2013 data breach for $18.5 million, a fraction of the $202 million Target says the breach cost. Hackers stole 40 million credit card numbers making this third-party breach one of the biggest in history.
- Theft of Intellectual property can include any type of financial, business, scientific, technical, customer or engineering information that is regarded as proprietary. While cyber-attacks targeting Personal Information garner the most media attention, IP theft is emerging as a serious risk for organizations and intellectual property owners.
Cyber Risk Management More Important Than Ever
- Expanding Attack Surface. More attack surfaces=more breaches. The total digital resources that are exposed to threats including software, networks, infrastructure, clouds, devices and applications, are increasing at an alarming speed. There has been a 600% increase in internet usage from 0.5B users in 2001 to over 4.1B users in 2017.
- Regulation Enforcement. Recent fines dealt out for GDPR violations prove the seriousness governments are taking the cyber threat and that they are ready to enforce penalties if companies do not comply. Fines of 4% of annual revenue or €20m (whichever is higher) for non-compliance in the case of a privacy breach or misuse of an EU citizen’s privacy data. Outside of the EU, the US is seeing certain states follow in GDPR’s footsteps, establishing privacy laws and cyber regulations.
- Internet of Things. Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021, creating vast amounts of data. As inter-connectivity and data sharing creates new opportunities for information to be compromised, businesses must become aware of increased threats and invest in the security of these devices.
Managing your cyber risk does not need to be a daunting task. While complex, looking at cyber risk from a business perspective and quantifying your risk in terms of financial exposure will help you if, and when, you do get breached. The cyber resiliency of an origination can be measured and compared to the goals of the organization and their cyber risk. Once a baseline of cyber resiliency is established, goals can be set to increase it and reduce risk to acceptable levels. Strategies to optimize resiliency include cyber insurance, vendor cyber risk management and a continuous cyber risk management program.
Every day hackers are getting more sophisticated with their attacks, new companies are being breached, and vulnerabilities are being exposed. A sound, effective, cyber risk management strategy is imperative for the health of companies and must be supported from the top down. Cyber incidents will still happen, but with robust monitoring, assessment and action, companies will be better prepared to deal with them when they do.