Cyber Risk Assessment: Do’s and Don’ts
In her briefing on cyber risks to the company’s president and executive team, Barbara H. (CISO) reviewed how cyberattacks have affected businesses in the past and outlined specific steps that could be adopted to mitigate the cyber risk faced by the manufacturing company. As Barbara explained each step, she could sense that the president and executives were getting more and more engaged in the discussion. They asked questions and seemed genuinely interested in learning about how they could secure their operations. Barbara felt proud to be able to help educate his company’s leaders on this important issue.
Such a scenario is not entirely unheard of, but it is certainly rare.
Cyber risk is the potential for harm that can come to an organization as a result of a data breach or other cyber incident. Reporting on cyber risk can be difficult because it can be hard to quantify the risks. But it’s important for organizations to understand and address their vulnerabilities so they can protect themselves from potential harm.
There are several factors to consider when reporting on cyber risk. First, you need to identify the key risks that your organization faces. Then, you need to assess the likelihood and impact of those risks. Finally, you need to develop a plan to mitigate those risks.
It’s Important for the Cybersecurity Industry to Communicate with Business Stakeholders about Cyber Risk. Unfortunately, organizations face many challenges to achieve this…
Cybersecurity, IT and DevOps, and Business are departments that are known to traditionally operate in silos. Communication between these stakeholders would often be minimal as each party seeks to advance their individual agendas in a board meeting.
For cyber risk to be communicated effectively, business leaders and cybersecurity professionals alike need to understand the concepts behind it. It should not be assumed that everyone within the business understands even the most fundamental concepts in cybersecurity.
Cyber risk is essentially any harm, or unwanted harm, that occurs leading to financial loss, disruption, damage to a company’s operations. Due to modern technological dependencies, this risk might manifest as a failure in IT systems or a data breach in the event of a cyberattack.
When addressing diverse audiences, expect different levels of maturity, expectations, and understanding, and address any key concepts. Avoid discussing cyber threats with business stakeholders unless it is certain that they understand those concepts and their potential implications. Move away from discussing threats such as ransomware and malware with business stakeholders, which are not necessarily in the known domain. Instead, listen and ask questions. Identify your audience’s concerns and understandings.
For cybersecurity to not be considered a business inhibitor, but as a business enabler, the cybersecurity professionals need to get involved in conversations about business goals/priorities and ROI. Start the conversation by focusing, and by understanding the business, its dependencies, risk appetite, and areas critical for it to succeed. Take a look at the financial statements; they will tell you what’s the most important service/product that the company is most concerned about. What if that gets interrupted and business suffers?
When a shared understanding is achieved, it fosters an environment conducive for collaboration as all three groups (Cybersecurity, IT and DevOps, and Business) learn from one another.
This Helps the Different Stakeholders Align on the Risk Appetite for the Company, and Efficiently Allocate Cyber Security Budget.
For a start, a cybersecurity assessment can help businesses understand and identify weaknesses such as vulnerabilities across people, processes and tech across their environment. With the evolving threat actors and changes to enterprises, some businesses might wish to take it a step further and have more control over their cyber weaknesses in real-time. In which case, there is the choice to stress test their security systems by simulating cyber-attacks in a controlled environment, usually within the context of extended security posture management.
Bottom line is, businesses require a practical visibility of what can happen in order to inform their business decisions. Business stakeholders will always seek to improve ROI. Often, this involves delivering a product or service on time per the contractual requirements so as to avoid financial penalties. However, failure to deliver may in fact be preferred to delivering a risk in the form of a vulnerable product, which would be a conduit for cyberattacks on the client and incur unforeseen expenses.
That is to say, your risk is not yours alone to bear.
Most enterprises are so interconnected that cybercriminals need only find the weak link in the supply chain — usually SMEs who deprioritize cybersecurity as they have lower levels of maturity and understanding as to why cybersecurity is important — to compromise an entire ecosystem.
If your business is in any way dependent on IT (as most are), you could definitely be a target. In case of a successful cyberattack on such a highly interconnected enterprise, it might mean other companies along similar networks/supplier chains suffer similarly.
As cyberattacks become increasingly sophisticated, small and medium business owners should ditch the assumption of safety because truly, no company is too small to be a target.
Even then, simply having an understanding of one’s risk profile is not sufficient to determine a business’ risk appetite. A statement like “I don’t want to lose more than 10 million a year” provides much more clarity and utility than “I wish to assess our cybersecurity posture only once every 10 years” for instance.
Evidently, quantification can go a long way to help business stakeholders visualize the very real threat that cyber risk poses for ROI and P&L. Hence, the question to answer is: how much can you afford to lose to cyberattacks and cybercriminals?
A business with a high risk appetite might consciously choose to neglect to manage their cybersecurity posture.
That said, the scales are tipped also depending on how regulated the industry is. Cybercriminals might look to easier targets and given how heavily regulated financial institutions are, they are perhaps more prepared — a disruption in services would be immediately followed up upon — and a lesser target than non-regulated industries such as manufacturing, for example. The latter is extremely susceptible to cyberattacks as it has substantial links and dependencies upon tech and with other stakeholders in the ecosystem. The industry is getting further exposed with the convergence between IT (Information technology) and OT (Operational technology). Manufacturing cyber risk is a growing concern for businesses, as the industrial sector becomes increasingly digitized. Many factories and plants are now controlled by computer systems, and this makes them vulnerable to cyberattacks. Malicious hackers could potentially gain access to sensitive information or even damage equipment by infiltrating these networks. Cyber risk can refer to a number of potential risks that could occur in the manufacturing process, including the possibility of a cyber attack on the systems used to control or monitor the manufacturing process, or an incident or accident that is caused by a failure of those systems.
A cyber breach at a manufacturing company could potentially result in the theft or release of confidential information about the products being manufactured, or even worse, could allow hackers to take control of the production processes and cause equipment to malfunction or explode.
Manufacturing companies need to be aware of these risks and take steps to protect their systems from cyber attacks, and also need to have plans in place for responding to any incidents that may occur. To protect against these risks, businesses need to implement comprehensive cybersecurity strategies that include their OT environments.
We now have the capacity to drastically minimize the cyber risks associated to operating a modern business by using extended security posture management.
Watch the full video to learn more:
Have you had success communicating cyber risk to members of your organization? Let us know in the comments below, and keep in touch for our next videocast coming soon !
By Magda Chelly
Chief Security Officer | TEDx Talk | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)
Find out on magda-on-cyber.com
Awards
- The IFSEC Global influencers in security and fire 2021
- Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/
Follow Magda on her Social Media Accounts:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
- Instagram: https://www.instagram.com/m49d4ch3lly
