Interviews

Cyber risk, business risk and cost

by Mark Rowe

Cyber risk is a business risk, says Colin Tankard, pictured, Managing Director, at the cyber and IT security company Digital Pathways.

There are constant published reports showing that all forms of organisations are being exposed to cyber risk and given that much of it is handled online, cyber risk has become an inevitable part of doing business. In fact, a recent Enterprise Strategy Group (ESG) study found that 82 per cent of organisations believe it has increased over the past two years.

Furthermore, the ESG Report found that cybersecurity is seen as complex and too often discussed in technical terms, rather than a business risk. This highlights a significant challenge for today’s security leaders as to how they can help non-technical stakeholders understand how cyber risk translates into business risk, and the cost associated with a breach.

To effectively link cyber risk to business risk and cost, CISOs and other technology leaders, need a quantification framework that allows them to report to the Board and other non-technical stakeholders, in a language they understand. By quantifying cyber risk financially, CISOs can analyse cyber risk in the same way that organisations look at all other types of risk: in terms of its impact on financial targets. This process puts the intangible nature of cyber risk into a tangible business context – helping stakeholders understand the organisation’s potential financial exposure, due to various risk factors and impact scenarios.

To provide a meaningful understanding of the cyber risk to the business, various data points need to be examined from a mix of technographic data, firmographic data, cyber insurance claims data and cyber scenario probability calculations, which will form the model to simulate the financial exposure across multiple types of cyber events and impact scenarios the organisation could face in an efficient and easily repeatable way.

Benchmarking

Diligence risk vectors show the steps an organisation has taken to prevent attacks. Data is available that evaluates SPF, DKIM, TLS/SSL, Open Port and DNSSEC information in assessing an organisation’s security diligence. All diligence records are evaluated as one of the following: good, fair, warn, bad or neutral. Records are assessed using industry-standard criteria. For each diligence risk vector, an overall letter grade is calculated using the evaluations of each individual record with an overall letter grade (A-F) assigned, indicating an organisations performance, relative to others.

The grade takes into account factors such as frequency, severity and duration (for events) as well as record quality, all evaluated based on industry-standard criteria (for diligence). For example, if an organisation has three domains, and each of them has an effective SPF record, their overall SPF grade would be an ‘A’. Likewise, if none of the three domains has SPF records, their overall SPF grade would be an ‘F’.

By looking at the ratings of other, similar businesses and comparing them to the organisation’s own system reviews, it can quickly be seen how they compare and the steps that are needed to improve the position, reducing the potential cyber risk to the business.

Traditional methods

Relying on periodical penetration tests or third-party audits is not good enough, as they merely provide a snapshot of a moving, evolving enterprise and threat landscape, unable to test or convey true risk. Furthermore, since the attackers change at a dramatic pace, APT (Advanced Persistent Threats), ransomware and supply chain attacks, acknowledged traditional methods, cannot test accurately. An enterprise that makes inferences and assumptions when looking at how their people, processes, and security controls would handle any of these new hacking mechanisms, could be devastating.

Removing assumptions

To build a true view of an organisation’s cyber risk and relate that to the risk to business needs, a change in thought process is required along with a continuous security validation, in order to replace inferences and assumptions with tangible, operationalised facts. The step-change is to replace fear with facts, guesses with tangible, prescriptive steps to not only find the gaps, vulnerabilities and misconfigurations within how people, incident response plans and security controls work but, how to fix them. Most importantly, to build volition and confidence.

Employing a single methodology at each step of the attack cannot be relied upon, all possible vectors need testing. The outcome needs to be easy to follow from a technical prescriptive with remediations and clear and concise executive reports, ensuring business leaders understand the risk.

Common areas for continuous review

1. Systems
Compromised Systems are devices or machines in an organisation’s network that show malicious or unwanted software symptoms. These compromises can disrupt daily business operations and can increase an organisation’s risk of breach. Compromised systems are evaluated based on the number and type of malware, severity, and duration.

Botnet Infection events indicate that devices on an organisations network were observed participating in botnets as either bots or Command and Control servers. Botnets can be used to exfiltrate corporate secrets and sensitive customer information, repurpose company resources for illegal activities, and serve as conduits for other infections.

Spam Propagation events are observed when devices on an organisations network are sending unsolicited commercial or bulk email. This type of activity can damage an organisations reputation and cause legitimate company email to be caught in spam filters.

2. Leaked Data
Compromised data that ends up on the Dark Web can cause organisations and their customer’s significant financial loss and damage brand equity and reputation. Organisations must gain real-time visibility into Dark Web attacks so that they can act decisively, to protect their assets and customers.

3. Brand Protection / Counterfeit Detection
The trade in counterfeit and pirated goods on the Dark Web is becoming a major challenge in an innovation-driven global economy. Organisations need to have automated monitoring and analytics for investigators and IT staff to counter the sale of illicit goods on the Dark Web.

4. Data Breach Protection / Account Takeover Prevention
Employees, customers and third parties are unknowingly exposing sensitive information. Data exposure and loss have serious reputation and financial impacts and data breaches that contain sensitive information can be utilised to launch targeted attacks on both employees and the organisation.
Regular monitoring for any compromised data on Open, Deep and Dark Web sites is essential with mechanisms in place to alert, in real-time, relevant stakeholders of the risk and appropriate actions.

5. Executive and VIP Protection
Data breaches that contain sensitive information on key employees can be utilised to launch targeted attacks on them directly, or through emails directed to other members within the organisation.

Identifying key individuals’ profiles and data early, and cleaning it, reduces the risk of account takeover and potential fraud.

As budgets get tighter, the need to make sound business decisions falls on every department within an organisation. Cost and benefits need to be considered. However, some areas such as insurance can be seen as a cost with no benefit, until there is a claim. Unfortunately this often leads to insurance being underrated to keep premiums down.

With cyber risk, the issue is wider than just cost. It spans business continuity, reputation, market position and regulatory and compliance control. This makes assigning cost-benefit to cybersecurity, complex. But, by taking steps to continuously monitor the cyber posture of an organisation, against similar businesses in the same sector, can enable a return-on-investment calculation to be assigned to any data security improvement made.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing