Last week, we presented 8 best practices for managing cyber risk. Now we're going to explain why it's so crucial to implement these strategies today. As technologies advance, risk teams are in a constant battle to protect their organizations against new threats. The most recent trend to gain attention is cyber risk. In a 2018 survey conducted by Risk.net, areas of cyber risk ranked #1 and #2 on a list of top ten operational risks.
What is cyber risk? Cyber risk is the threat of financial loss, disruption, or reputational damage to an organization due to some sort of failure from its IT systems. More details on this definition can be found from the Institute of Risk Management. Cyber risk can be an enormous threat; here are three of the reasons it’s a top concern that must be effectively managed.
1. Compliance with regulations
To match the pace of the evolving environment, governments are creating new laws and standards that organizations must meet. While they are for the benefit of consumers and society, they often require large organizational changes and failure to comply can result in costly consequences.
Data management and privacy has been of particular concern lately. With the increase of data breaches releasing individuals’ names, phone numbers, email addresses, social security numbers, and credit card information, the government is increasing the pressure on organizations to protect this data. One such example is the GDPR in the EU, which came into effect in May and promises up to €20 million in fines if privacy is compromised.
To move above and beyond compliance, organizations can proactively mitigate against cyber risk and use this as a competitive advantage within their industry.
2. Extremely high frequency
John Lupica of Chubb Insurance said that cyber risk is “The only risk where someone is trying to do real harm to your business every day”. In fact, it’s known across some industries as no longer being a matter of “if”, but “when”. All organizations are subject to cyber risk, particularly those that store highly-confidential consumer data such as credit card information. This risk cannot be entirely avoided because it's now impossible for any kind of organization to function without some technology. Logic Manager identified that the number of data breaches has increased 45% from 2016 to 2017, and this trend is expected to continue.
Hackers are becoming more common and increasingly skilled. One increasingly frequent tactic is social engineering, where a hacker tricks a person into revealing confidential information by gaining their trust or taking advantage of curiosity. For example, a social hacker may gain personal information about a potential victim and use it to their advantage, or strategically place a USB drive with a virus in the hopes that someone will connect it to their device. More information on social engineering and how to protect against it can be found in this article.
Hacking is also getting much more complex with advances in technology. Simple firewalls can no longer stand up against organizations dedicated to accessing information. This is why actively preventing cyber risk and fully educating employees is so crucial to security.
Interconnectivity and data sharing are increasingly common in today’s global environment. As organizations and employees spread across the world, there is the need for collaborative tools and remote access to data, such as cloud-based solutions. If managed properly, these systems can be just as secure, if not more so, than traditional in-house storage. However, they still have the potential to present a risk. AT&T’s latest Cybersecurity Insights revealed that 85% of organizations share data with an external party, but only 28% have standards in place to manage this risk. It’s likely that the 28% are the only organizations whose data is not dangerously vulnerable to external parties.
3. High severity
Cyber risk isn’t a threat that organizations can observe and hope doesn’t impact them. One well-planned cyber attack can put even the largest organizations out of business. Cyber risk is so severe for several reasons:
It’s underestimated by many risk teams. AT&T has shown that 65% of organizations believe they have appropriate measures in place to prevent cyber attacks, yet 80% have been victims of a successful attack. Clearly, there is a disconnect that needs to be resolved; employees must be educated on the full severity and consequences of threats. Cyber risk may be particularly underestimated in small and medium-sized organizations. These groups may believe that if they don’t have the budget for a large IT team they cannot reduce cyber risk, or that their size means that no one would bother to attack them. This mindset makes them a target for many hackers.
It only takes one data breach for clients to lose all confidence in an organization or even take action against them. If private information is leaked, consumers will likely tell others about their experience, and the organization will have a very hard time proving to new customers that they are, in fact, secure enough to be trusted. They will also lose a significant amount of current business: a study by PwC revealed that 87% of customers will take their data elsewhere if they don't believe an organization is handling it responsibly.
Cyber risk can also cause severe business disruption. One attack may send an organization into crisis mode, unable to resume regular operations until the issue is handled. In addition to private client information, a data breach may expose an organization’s trade secrets or other confidential information necessary to operation. Without containing the situation, there may soon be imitations on the market.
Cyber attacks can even cause physical damage. For example, computer-controlled systems could be shut down or remotely accessed. This occurred in a steel mill in Germany, when hackers installed malware on the network that led to a furnace explosion and massive physical damage. Read more on that incident and others like it in “Cyber and Physical Threats Collide”.
The average cost of a cyber attack continues to increase. When an attack occurs, organizations must pay for technology fixes and upgrades, legal fees, and settlements to customers whose data was compromised. The increasing frequency and power of these attacks means more data is being affected, causing organizations to pay out more: in 2018, the average cost of a cyber attack was $8 million (up from $3.62 million in 2017).
Cyber risk does not have one straightforward solution and may appear to risk teams as an intimidating threat to overcome. However, no organization can afford to be passive about cyber risk. The associated consequences are too high.
ClearRisk’s Risk Management Information System helps risk teams predict and prevent cyber risks. Our system enables the creation and sharing of risk management plans and is built on the #1 cloud-computing platform in the world. It also blocks unauthorized data to your system and is consistently updated to maintain the highest security standards. Want more information?
If you found this article helpful, you may be interested in: