A year after the COVID-19 pandemic began, many people and businesses thought that by now things would be more or less back to normal. However, it seems that the concept of the Remote Workforce is here to stay for a long time to come. Some good has come out of this: Corporate America is now understanding the need to embrace what is known as Cyber risk on a much more serious level—and the gravity of trying to mitigate it as much as possible. That is the focal point of this article.
What Exactly is Cyber Risk?
The term “Cybersecurity risk” (or “Cyber risk”) can have many different meanings to corporate managers and executives. But a good technical definition of it is as follows:
“Cybersecurity risk is the probability of exposure or loss resulting from a cyber-attack or data breach on your organization. A better, more encompassing definition is the potential loss or harm related to technical infrastructure, use of technology, or reputation of an organization.”
At this point, you and your Cybersecurity team are probably taking an inventory of all your company’s digital and physical assets. From here, depending on the numerical category system that you choose to utilize, you will rank all of them from being at the highest probability of being exposed to a cybersecurity attack to those that have the least chance of being impacted. Once you have ascertained this, then you compute, from a financial perspective, what the estimated dollar loss would be in the event of a post-attack downtime. Of course, those assets most likely to be impacted also probably have the highest dollar loss associated with them. It is essential that you quantify this as much as possible, so you will know how to further fortify your Cybersecurity posture.
How to Share Cyber Risk Throughout Your Company
Now that you have a clear idea as to what Cyber risk is, there is yet another misconception that needs to be cleared up. It is often assumed that the IT department that should bear the brunt of containing Cyber risk; after all, it is their job, right? Well, quite frankly, the answer is no. In this regard, it is the responsibility each and every employee, from the C-Suite down to the clerical staff.
This new, radical way of thinking needs to be implemented quickly. So, how does a company go about doing this? Here are some important steps you can take:
- Convey the true costs of Cyber Risk.
At the present time, the average cost of a Cyberattack is well above $1.1 million, and there is only a 37% chance that the affected company will be able to fully regain its brand reputation if it has been impacted. Odds are the company may even have to close down operations which will, of course, result in job loss. These numbers should be conveyed to each employee in every department so they can understand the sheer importance of maintaining good levels of Cybersecurity to mitigate the risk of losing their jobs.
- Distribute responsibility throughout the company.
Employees are often considered to be the weakest link in the Cybersecurity chain. But they don’t have to be. According to the latest Verizon Data Breach Investigations Report, 93% of all Cyber-related breaches are Phishing-related attacks. Had the employees of these organizations been given proper training, the probability of being hit would be much lower. Employees often subconsciously assume, “Okay, so what if we are hit? Our Cyber specialists can fix it, right?” The answer to this is plainly wrong. Today’s IT security teams are overburdened and may not be able to respond quickly to reduce further risk posed by this scenario, thus increasing the chances that the Cyberattacker can cause additional damage. When training employees, it’s important to emphasize that it is squarely their responsibility to keep an eye out for Phishing email, and to respond appropriately by either deleting it or promptly notifying the IT Security staff. You also need to give your employees the tools to do this and keep them updated on the latest trends in Phishing variants so that they can do their part to reduce risk.
- Share information and data with all parties.
Even today, there tend to be lines of divisions between a company’s IT Department and the IT Security team. For example, an IT Department often thinks that their primary job is to make sure that the IT and Network Infrastructure are running at optimal levels, while the IT Security team thinks that all they need to do is stay ahead of the Cyber threat curve. While these are their unique job functions, the truth of the matter is that the two go hand in hand in keeping the company well protected. Thus, any information/data about the Cyber threat landscape should not be kept in departmental silos. Such information and data must be shared, to varying degrees, with all departments of the company that should have access to it. For example, research has shown that it takes at least 60 minutes (and probably even longer) for a CIO and/or CISO and their team to respond to a security breach. This is primarily due to a lack of established communication flows. The response time needs to be cut down to a matter of just a few minutes. This can only be done if those silos of information/data are shared across departments.
- Deploy the right Cybersecurity framework.
One of the best ways in which you share the responsibility of Cyber Risk throughout your entire company is to implement a good framework and the appropriate controls that will support it. Some of the more commonly used frameworks are:
- The PCI DSS;
- The ISO 27001/27002;
- The NIST Framework for Improving Critical Infrastructure Security.
While all of these frameworks are good, none of them are foolproof. The only truly foolproof framework is known as the “Zero Trust Framework.” In other words, you cannot trust anything in your environment. Everything and anything should be assumed to be a risk. The motto here is: “Never Trust, Always Verify.”
This article has provided a glimpse into what Cyber Risk is all about, and the importance of defending against it using collaborative approach throughout your entire company.
Ravi is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas.Tech, Inc. He is also studying for his CompTIA Security+ Certification.