How do you Determine which Cyber Risks are The Most Important to your Business?
Co-authored with Wayne Yan.
There is no one-size-fits-all answer to this question, as the cyber risks that are most important to your business will vary depending on your industry, the size of your company, and how interconnected your company is with other businesses and organizations.
As a business owner, you are likely aware of the many risks that come with operating a company. However, you may not be as familiar with the risks posed by cyberattacks. Cyberattacks are a growing threat to businesses of all sizes, and they can have a devastating impact on your business. There are a number of steps you can take to protect your business from cyberattacks, and it is important to be aware of the risks associated.
WATCH OUT! Is something that is commonly shouted out loud when danger is sensed. Danger lurks around us every day, some may say that danger happens to those who are unlucky. But is it so? What if there could be ways to minimize the dangers you are exposed to.
Have you ever thought about what danger is? Danger is the possibility of suffering harm or injury. It is nothing more but incidents happening that causes damage to us. A plate falling on you from a second floor sounds pretty painful, right? But what if it is a paper plate we are talking about? Not exactly worth mentioning for in my opinion. In this example, the impact or consequence of the incident changed drastically when the plate material changed.
How should you handle risk?
Risks is the possibility of loss or harm. The plate example showcases that different material falling would lead to different consequences; either getting seriously injured or not at all.
At different times of the day, we would apply risk management in making a decision. When we hear a suspicious noise outside in the middle of the night, instead of investigating it ourselves, we would either choose to ignore it or call the police for help. It could be deciding to have spicy food or not. You would probably know if your body were able to tolerate which level of spice before it affects your digestion.
By doing so, we are managing the risk of being in danger by making a decision to transfer or share the responsibility.
In the business world, danger can present itself in many forms such as financial risk, legal risk, and even cyber risk. Many business owners are so focused on making their businesses successful that they often overlook these potential dangers. Cyber risks are one such danger. Cyber risks can be defined as the probability of a threat exploiting vulnerabilities in an information system and causing harm. In other words, it is the possibility of your business’s confidential information being stolen or leaked or your business operations being disrupted among others.
Risk management is all about identifying, assessing, responding to the risks exposed to us, and reviewing the mitigative controls.
We first need to identify the assets exposed to the risks. This includes identifying the information systems used in our business and the data stored in them. We also need to identify the people who have access to these systems and the data. This is important as it would help us to assess the risks more accurately.
Once we have identified the assets, we need to assess the risks they are exposed to. This includes assessing the likelihood of a threat exploiting the vulnerabilities in our systems and causing harm as well as the impact of such an incident.
Once we have assessed the risks, we need to respond to them. This includes putting in place measures to mitigate the risks. This could involve putting in place security controls. In general, risk management includes four responses:
Mitigating: implementing additional measures so that the impact or likelihood of the risk would be reduced.
Transferring: transferring the risk to another party such as insurance.
Accepting: deciding to accept the risk.
Avoiding: avoiding the exposure to the risk altogether.
After we have put in place measures to mitigate the risks, we need to review the controls periodically to ensure that they are still effective. This is important as the threats and vulnerabilities our systems face would change over time.
Risks affect business’ profitability
Various risk types are present when conducting business. But did you know that risks could actually affect a business’ profitability?
This is because when an incident or accident happens, businesses would incur losses. These could be in the form of damaged or lost products, legal fees, and even damages to the business’ reputation. All these would lead to a decrease in the business’ profits. It is thus important for businesses to have a good risk management plan in place.
Technology growth has undoubtedly helped us in productivity, convenience, and achievements. But it has also increased our exposure to risks.
The advancement in technology has made it easier for criminals to commit crimes such as cyber theft and fraud. This is because they can now do so without being physically present. They can also commit these crimes on a larger scale and more easily.
Threats in conjunction with weaknesses across people, processes, and technology may lead to successful cyber attacks and/or data breaches.
Cyber risks to your business should not be ignored, especially when tech plays a big role in our work and personal lives. In 2021, Bloomberg reported that one of the largest U.S insurance companies CNA financial, paid $40 Million in Ransom after a cyberattack (Mehrotra & Turton, 2021).
In fact, everyone is a target. In 2021, 37% of global organizations suffered from cyberattacks (Kerner, 2022). A study has shown that as of the fourth quarter of 2021, the average duration for business interruption and downtime was 20 days (Johnson, 2022). We could safely say that nobody is safe from cyberattacks.
A cyber attack can lead to various business risks such as loss of data, revenue, and even customer trust. These financial losses are way beyond fines and penalties. According to IBM, the average total cost of a data breach in 2020 was $3.86 million globally, and this amount is expected to increase. IBM classifies the financial losses or associated costs related to cyber risk as follows:
Direct Costs: These are the quantifiable and tangible expenses such as incident response, forensics, legal and regulatory expenses, business interruption, and customer notifications.
Indirect Costs: These are intangible, harder to quantify such as reputational damage, brand value loss, and customer churn. It is important to note that the costs of a data breach are not limited to financial fines. A study has shown that 66% of global organizations experienced an operational disruption due to a cyberattack in 2020. This is because when systems are down, businesses are unable to operate as usual. This would lead to a loss in productivity and revenue.
Data breaches are not the only type of cyberattack that your business should be worried about. There are many other types of cyberattacks that could lead to similar financial losses.
It is thus important for businesses to have a good cyber risk management plan. But risk management is not a panacea, as its purpose is to reduce and control risk exposure. After all, there is no such thing as 100% security.
Cyber risk, threat or vulnerability; what are the differences?
A risk materialize only when a successful cyber attack occurs. Some attack examples are malware attacks, phishing attacks, and social engineering attacks. Attacks from threat actors are usually carried out for monetary gains.
There is a lot of confusion about the differences between cyber risk, vulnerability, and threat. Many people use these terms interchangeably, but they actually have different meanings.
A cyber attack is an action or event that could exploit a vulnerability and cause harm. For example, a malicious hacker exploiting a flaw in your software to steal your data would be considered a cyber attack.
A cyber threat is any type of threat that uses a computer, network, or other digital information and communication technology to target and harm individuals, businesses, or governments. Cyber threats come in many forms, including viruses, malware, phishing scams, and Denial of Service (DoS).
A cyber vulnerability is a weakness in the company’s security posture. It can be a outdated software with security weaknesses, it can be an employee unaware of phishing attacks, or it can be a broken process that doesn't identify properly the payment requestor identity.
A cyber risk is the potential for harm that exists when there is a vulnerability that could be exploited using a threat, leading to a successful cyber attack. So, for example, the fact that your software has a flaw that could be exploited by malicious hackers to install a malware stealing data, creates a data breach risk.
Cyber risk management is a journey and not a destination.
We hope this article has helped you understand the concept of cyber risk a little better. It is an important part of our lives and something we must all manage in order to make informed decisions.
Please check out some of our other blog posts for more information on cyber risk management and how it impacts our everyday lives.
- Johnson, J. (2022, Jun 13). Average duration of downtime after a ransomware attack from 1st quarter 2020 to 4th quarter 2021. Retrieved from statista.com: https://www.statista.com/statistics/1275029/length-of-downtime-after-ransomware-attack/#:~:text=Overall%2C%20between%20the%20first%20quarter,from%2015%20to%2022%20days
- Kerner, S. M. (2022, Feb). Ransomware trends, statistics and facts in 2022. Retrieved from techtarget.com: https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts#:~:text=Ransomware%20statistics%20for%202021%20and%202022&text=It%20doubled%20in%20frequency%20in,IDC's%20%222021%20Ransomware%20Study.%22
- Mehrotra, K., & Turton, W. (2021, May 21). CNA Financial Paid $40 Million in Ransom After March Cyberattack. Retrieved from bloomberg.com: https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack#xj4y7vzkg
By Magda Chelly
Chief Security Officer | TEDx Speaker | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)
Find out on magda-on-cyber.com
Follow Magda on Twitter: https://twitter.com/m49D4ch3lly
- The IFSEC Global influencers in security and fire 2021
- Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/
Follow Magda on her Social Media Accounts: