Companies are faced with a challenging and evolving spectrum of cyber risk composed of cybersecurity threats at one end and regulatory penalties at the other. As Glenn Cowan, a Managing Director at GRA Quantum, discussed in a recent blog post, an expanding array of actors are utilizing increasingly sophisticated tools to disrupt operations, pilfer intellectual property, and plunder sensitive data. To spur public and private sector efforts to improve cybersecurity postures, tough regulations are being established that carry stiff penalties and the risk of reputational damage. In the event of a security breach, companies face costly consequences stemming from the breach itself and from the penalties related to regulatory compliance failures.
While boards and executives may be aware of cybersecurity threats, they are often at a loss for how to manage cyber risk and bolster their organizations’ cybersecurity postures. Most companies approach cyber risk management as a technical problem driven by the need to make systems impenetrable. Guided by this approach, companies are enticed by the hundreds of software and hardware vendors pitching simple cybersecurity panaceas. Unfortunately, most often, these “solutions” are not only costly but also inadequate, leaving organizations exposed.
There is no single, easy, and unassailable cybersecurity solution, and companies should not conflate cyber risk management with attempting to erect an impregnable digital fortress (there is no such thing). Managing cyber risk and strengthening cybersecurity are not exclusively technical problems. Instead, cyber risk should be understood as comparable to and incorporative of other conventional business risks, including financial and compliance risk. Therefore, cyber risk, much like other business risks, requires rigorous and ongoing management that prioritizes a company’s cyber threats and accounts for its resources, risk tolerance, and objectives. As boards and executives develop their cyber risk management approaches, they should first characterize their cyber threat landscape and then prioritize cyber risks for mitigation.
Each company has unique assets and functions that can make it a target for extortion, espionage, theft, or disruption, the most common objectives of cyberattacks. Understanding a company’s assets and functions is essential to understanding the potential sources of cyber risk. Often, companies underestimate the value of their assets and the attractiveness of their functions. Assets, like sensitive data or proprietary intellectual property, are highly valued by spies and thieves, and functions, like critical infrastructure support, are attractive targets for extortion and disruption.
For example, across the United States, malicious actors have employed ransomware to block hospitals from networked medical devices and patient data until hospitals pay a ransom. This type of extortion exploits modern hospitals’ heavy reliance on technology to provide healthcare. Until ransomware began crippling hospitals, healthcare executives failed to recognize that their organizations’ functions made them attractive and vulnerable targets. Hospitals have also been subjected to hacks and thefts of financial and patient data, which feed a lucrative illegal industry of patient extortion and identity theft. Like many organizations, hospitals tend to underestimate the value of their assets—in this case, patient data—and fail to identify them as sources of cyber risk.
Companies need to understand how they fit within an industry vertical and within a geopolitical context. This is the first step to identifying likely malicious actors and the capabilities that these actors can field. While it may seem farfetched to some executives, corporate and nation-state cyberattacks are remarkably common, especially for industries at the cutting-edge of innovation and research and development. In a competitive global market, companies and countries are constantly searching for ways to leapfrog competitors at minimal cost, and cyber vulnerabilities offer an appealing avenue.
Companies should undertake comprehensive network, policy, and personnel training reviews to identify vulnerabilities that attackers could leverage. Technology is only one component of robust cybersecurity. While addressing network vulnerabilities and ensuring strong endpoint security is important, companies often neglect the roles that processes and people play in cybersecurity. Cyber risk management should involve not only investments in technology but also employee training and the development of company cybersecurity protocols. Companies should also consider physical security as they assess cyber risks. Investing in vigorous cybersecurity but neglecting the security of buildings and offices can leave companies with a “soft core” that grants attackers physical access to machines and networks.
Once a company has characterized their cyber threat landscape and identified their vulnerabilities, they need to take steps to mitigate their cyber risks. Given the wide array of cyber risks that companies face and the limited resources that can be devoted to strengthening cybersecurity, companies need to prioritize cyber risks. This involves three considerations. The first is the probability of a threat. Second, companies should determine the impact and cost if the vulnerability is exploited. Third, the cost and effectiveness of mitigation should be weighed against the first two considerations to determine whether a mitigation should be sought.
Companies should first determine the likelihood of each individual cyber threat. While obvious, this question is essential for companies seeking to prioritize cyber risks. To estimate likelihood, companies should first focus on the potential malicious actor and determine how motivated and capable they may be. High-value assets and critically important functions attract highly motivated and well-resourced actors that are more likely to persist and succeed. The emergence of crime-as-a-service complicates this consideration. Underground forums and criminal marketplaces host a wide-range of cybercriminals, some boasting formidable capabilities, who sell their services anonymously. Crime-as-a-service enables anyone, even highly motivated luddites, to purchase the services of sophisticated and well-resourced cybercriminals. Understanding both the motivations and the capabilities of potential malicious actors is essential for determining which cyber risks to prioritize for mitigation.
Next, companies must dig deeper into how an attack will be executed and determine how complex it would be to exploit identified vulnerabilities. Likelihood can then be estimated by considering both the complexity of potential exploits and the sophistication of possible malicious actors. The most likely threats are those that involve rudimentary exploits and highly sophisticated actors. The least likely threats are against companies that attract only crude amateurs and exhibit obscure vulnerabilities; this situation is rarehe Internet has become the backbone of commerce, and companies are increasingly reliant on networked technology to do business. As a result, nearly all businesses are, to some degree, targets harboring extant vulnerabilities.
Once a company has determined the likelihood of a threat, they should assess the threat’s potential impact on the business. In its 2016 Cost of Cyber Crime report, the Ponemon Institute attributed nearly 75 percent of the costs of cyberattacks to business disruption and information loss and found that the costs were rising. For some companies, cyberespionage could quickly extinguish their competitive advantage as their intellectual property leaks to competitors. A cyberattack can also saddle businesses with remediation costs and, in some cases, trigger hefty fines. Furthermore, retailers have discovered that cyberattacks also have a negative impact on business reputation and brand trust. Even ostensibly minor threats, like adware, have the potential to obstruct business operations and precipitate costly consequences. Cyber vulnerabilities can be costly, and, to accurately gauge the seriousness of a threat, companies should assess and consider the costs of potential threats.
Threats that are both immensely costly and highly probable are serious risks, but they may not be a priority for mitigation. If available mitigation options for the threat are costly and ineffective, a company may better benefit from prioritizing other threats. Companies should carefully consider the effectiveness and cost of mitigation options against the corresponding risks. In some cases, mitigating risks that are either less impactful or less likely should take precedence over the most serious risks.
Cyber risk management is an ongoing process of identifying, prioritizing, and mitigating potential cyber threats and vulnerabilities. To effectively manage their cyber risk, companies should look inward to identify their own vulnerabilities and the reasons that would motivate an attack. Companies should also look outward to characterize potential malicious actors. Understanding their threat landscape allows companies to take the next steps to determine the likelihood of a threat, its impact, and the cost and effectiveness of mitigation. These components should undergird companies’ risk prioritization and mitigation efforts.