How much of the success of malicious cyber exploits can be attributed to an absence of a state of readiness for most US businesses?
Despite the considerable volume of research and market studies produced, recently, on the topic of cyber risk, little, if any, statistical information can be found on the actual level of business and/or organizational readiness to deal with cyber assault.
PWC’s US Cyber Security Survey for 2015, titled “US cybersecurity: Progress stalled” reports “[a] record 79% of survey respondents said they detected a security incident in the past 12 months.” This statistic can be read as a sign of cyber risk readiness. It is difficult to detect malicious cyber activity without a foundation of cyber risk readiness, is it not?
But proportionately how significant is this segment of the 500 executives included in the survey? PWC reports “[in]fact, respondents from large businesses detected 31 times more incidents than small companies”. This is a very large number, and points to a pronounced disparity on the topic of cyber risk preparedness between large and small businesses. Since the majority of businesses are small, we can envision a panoramic landscape of US business exposure, at least as of the end of 2015 (which is the end date for this PWC survey), for cyber bad actors to exploit, almost at will.
It is also important to consider the implications arising from the above cited PWC’s statistic. Simply because almost 80% of respondents reported detecting unauthorized cyber activity does not mean their organizations successfully defended themselves against the threat. The PWC summary of highlights from the study doesn’t include statistics on failed vs successful efforts to defend against this malicious activity. But a statistic quoted from “security firm” Gemalto points to a veritable explosion of unfortunately successful malicious cyber activity in 2014: “Globally, a record 1 billion data records were compromised in 2014.” We are now in 2016. One shudders to think of the number of compromised data records likely to be reported when PWC completes its annual survey for 2016.
Cyber risk assessments can help. First, by increasing the number and type of businesses brought up to a state of readiness to address the possibility and probability of malicious cyber attacks. Knowledge is, of course, power. So adopting an annual comprehensive review of operational and financial points of potential exposure to malicious cyber activity is a useful method of surfacing security holes and the questionable processes likely to dig them up.
Secondly, cyber risk assessments can also be used to design better defensive strategies against the threat of cyber attack. These assessments usually shed light on how business procedures interconnect, so the job of identifying the points of exposure requiring remediation becomes a manageable task rather than a daunting job of shooting in the dark.
Your organization may need to find a successful approach to instituting a regular cyber risk assessment process. If you would like to take a first step in a “right direction” on this topic, please let me know. I am working with a group of seasoned risk management professionals with a new offer for businesses in need of a cyber risk assessment procedure. You can reach me by posting a comment to this story, or by email at email@example.com. I will be happy to discuss your needs with you on this topic.