To discover the big picture, consider some recent statistics. IBM reports that the global average cost of a data breach in 2020 was $3.86M. For the healthcare industry, the average cost is almost double, $7.13M. Concurrently, HIPAA Journal reported that 9.7M health records were compromised in September 2020 alone. But it’s not just big businesses that are facing the brunt of cyber breaches, 43% of cyber-attacks target small and medium businesses, notes Fundera.
With cybercrime growing at a compounding rate – 300-600% in recent months – cyber risk positions itself as the biggest challenge to organizations around the globe. Here’s a primer on cyber risk and your organization.
What is cyber risk?
Cyber risk refers to the risk associated with “financial loss, disruption or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems,” as per PWC. However, it includes the “the potential of loss or harm related to technical infrastructure or the use of technology within an organization,” according to RSA.
Cyber risk can materialize in varied forms. Here are some examples of cyber risk:
- Unintentional breaches of security
- Cybercrime such as the theft and sale of corporate data
- Cyberterrorism, for instance, virus installation or a denial-of-service attack
- Third-party vulnerabilities that leave customer data compromised
Cyber risks can be classified according to intent and source:
- Internal malicious
- Internal unintentional
- External malicious
- External unintentional
What is the impact of cyber risk?
It is worth noting that the classification of cyber risks according to intent and source may not determine the negative impact they have on your organization. For instance, reports have it that 52% of data security breaches boil down to human error and system failure. Another report indicates that 95% of cybersecurity breaches have their source in human error.
The impact of cyber risk can be divided into a few categories:
- Financial loss: The average cost of a data breach in the USA is $8.64M according to IBM and economic loss can arise from various quarters. You may be unable to provide services or carry out transactions; proprietary information or even money may be stolen; you may have to spend large sums of money repairing your information systems. You may even have to rejig your business operations and find new ways to conduct business.
- Reputation loss: It can be hard to put a finger on the economic impact of reputation loss but suffice it to say that loss of customer trust can cripple a business altogether. Customers may share confidential information with your business and if this gets compromised you could lose your customer base and see reduced sales. Invariably, you’d have to give up your market position and mend third-party and investor relationships.
- Legal loss: There are data security laws in place to protect customer data and these require you to adopt certain controls and deploy security measures in case a data breach occurs. In case you are caught off guard, you may have to pay regulatory authorities and other parties in millions of dollars. There are legal costs to bear too, and because of the seriousness of the issue, some organizations buy cyber risk insurance to cover their losses.
The cost of protection is also something that can be added to this list. Building safer information and networking systems takes money and requires the use of vetted software and hardware. The ongoing management of these systems and their maintenance also add to the costs.
How should you approach cyber risk?
In today’s digital age, you cannot avoid exposing yourself to some amount of cyber risk. You cannot avoid digitalization or digital transformation just because you want to avoid cyber risks. It can affect your business growth, revenue expansion, and market consolidation.
Hence, the goal is to navigate cyber risk well.
Firstly, you need to know what your assets are. And what you are trying to protect from intentional/ unintentional cyber risks:
- Do you store customer data either directly or with a third party?
- Do you have intellectual property that needs to be protected?
- Do you possess financial data or contract terms that cyber-thieves would want?
Then, you need to understand what cyber threats you may face, and which assets may come under fire. Cyber threats are not the same as cyber risks. A threat is an event that can exploit a point of vulnerability to damage an asset. When you have linked cyber threats to your assets, you know what cyber risks you have on hand.
With this information ready, you can then proceed to drafting a cyber risk appetite statement. Defining your cyber risk appetite gives you clarity on many fronts:
- You get clarity on how much risk you are ready to tolerate
- You know how much you are prepared to spend to mitigate the risk
- You gain insights into the prioritization of risks that affect your business
How do you manage cyber risks within your organization?
Cyber risk management is an ongoing process that can be broken down into a few key steps:
Identify the risks: Note your assets, threats, and vulnerabilities. For instance, you may have a weak technological infrastructure with employees working from home on personal devices, and this could lead to company data being more vulnerable. Here are some possible avenues of cyber risk:
- Opening suspicious emails
- Using personal devices at the workplace (BYOD)
- Failing to log out of accounts
- Using outdated software
- Not scrutinizing third-party vendors
- Setting insecure passwords
- Having weak home Wi-Fi security
- Possessing weak links due to an IoT ecosystem
Assess the risks: At this stage, you need to analyze the risks in terms of their likelihood and severity. Based on that you can forecast what the impact of the risk may be.
Evaluate and prioritize the risks: This becomes easy if you have a well-defined risk appetite statement. You can begin to answer questions such as:
- Which risks can the organization do without?
- Which assets demand the greatest amount of security?
- For how long can the organization delay taking on this risk?
- Do the risks align with the organization’s business strategy?
- What is the organization’s net level of cyber risk?
Respond to the risks: You can modify the impact of a risk by adopting a corrective control. For instance, you can enforce multi-factor authentication for more secure logins, deploy company apps to isolate sensitive data, and adopt a policy for patch/ update management. Exploring the 20 CIS controls can prove to be vital.
Here are some practical ways to reduce cyber risks:
- Educate your staff
- Keep software systems updated
- Draft a cyber security policy and a breach response plan
- Cut down on data transfers
- Avoid downloads as far as possible
- Schedule regular backups
- Limit access to data by assigning privileges
- Encrypt your data
- Invest in a robust cybersecurity system
After treating your risks with controls, you decide to tolerate some cyber risks, terminate others, and transfer the rest to a third party.
Your cyber risk management efforts work best when they tie in with your organization’s risk management framework. Moreover, you should strive for a three-pronged approach of ‘cyber risk assessment’, ‘cyber risk management’ and ‘cyber risk monitoring’. Whether it is enforcement, accountability or the aspect of bringing senior leadership into the game, you can best integrate cyber risk management with your GRC strategy when you have a risk management platform like VComply.
With VComply, you can set in motion cyber risk management lifecycle, invite collaborators to evaluate risks, establish tolerance levels, monitor your risks, assign implement controls to address risks, delegate ownership, and escalate failures, setup alerts and more. This gives you the means to safeguard your organization against internal and external cyber threats in real-time.