Hit enter to search or ESC to close
Institue of Directors - design shape Institue of Directors - design shape

An Executive Guide to Reducing Cyber Risk: What Business Leaders Need to Know

Blog

Expert Analysis from Ross Palmer, CEO, Enterprise Defence.This article has been written exclusively for IoD Ireland members.

Knowing where you need to focus is much easier when you know where you stand right now.

Phishing, social engineering, hackers, and even accidental insiders are contributing to increased cyber-risk across industry. The result is that the business of cybercrime is booming to the tune of $1.5 trillion each year [4] by taking advantage of legitimate business processes and people.

The question on everyone’s lips is how to change the balance of power between the cybercriminal community and the victims of cybercrime, aka, your business. One of the key factors in achieving this is to understand where risk occurs and how best to deal with it. 

Where Cyber Risk Seeps In…

  • Robust but nefarious business models drive cybercrime.
  • The dark web is the platform for cybercriminals, delivering the data and tools of the cybercriminals trade.
  • Cybercriminals take advantage of employees using social engineering and phishing.
  •  Accidental data exposure is part of cyber risk.

Hacking-as-a-service: Many of the tricks of the cybercrime trade use well-thought out, robust business models, including as-a-service offerings. This has led to greater accessibility to software-as-a-service kits that facilitate ransomware and data theft. These repeatable, cost-effective business models are driving cybercrime.

Dark web marketplaces: The dark web has been put to good use by hackers as a means of disseminating stolen data and delivering the tools needed to steal more data to commit fraud and to infect corporate networks with ransomware, etc. This ‘snake eating its tail’ marketplace approach to cybercrime proliferation provides a self-perpetuating system that causes massive amounts of financial loss to businesses the world over.

Accidents happen: Cybercrime is a major cause of risk, but accidental data exposure or similar harm by employees is another. Our employees are a 360-degree risk; they are not only a target for cybercriminal manipulation using social engineering and phishing, but they also add risk through unintended consequences and accidents.

Developing a security strategy that mitigates cyber risk is no mean feat. All known risk factors, and even other predicted risks, need to be included. However, understanding what factors create cyber risk in a business allows a company to more effectively mitigate that risk. 

How Cyber Risk Impacts Business

  • Financial costs
  • Fines for non-compliance
  • Lowers employee morale
  • Reputation damage.

Financial losses: Cyber risk touches many parts of a business. The cost of putting a cyber-attack or accidental data exposure right can run into six or even seven figures. Not all businesses can sustain this level of loss and the chances are that a company will experience multiple cyber-attacks. 

Fines and compliance: The financial losses due to downtime after a cyber-attack do not include the fines dealt out by the local Information Commissioner’s Office for data breaches and privacy violations. Fines from regulations such as GDPR [5] are up to 4% of global turnover or 20 million euros (whichever is higher).

Staff morale: Staff are also shown to be negatively impacted when a cyber-attack hits a company. 

Reputation and trust: Then there is the customer side of the equation; research has shown that customer trust is lost along with data during a cyber-attack. 

The modern enterprise is like a house of cards that a single cyber-attack can tip over. But with tight budgets, how does an organization optimize spend on cybersecurity threat prevention?

Budgeting for Cyber Risk

Making decisions that optimize security budget spend requires an intelligence-led security risk assessment. Armed with the knowledge of where cyber risk creeps in and how it impacts a company gives a C-level and business owner the know-how to assign security budget wisely. A risk assessment informs the development of strategic policies that are tailored to your company’s specific needs. These policies act as the handbook to make clear and impactful security decisions. Knowing exactly where to place the budget focus when creating measures and processes for de-risking your organization, empowers a company to stop cyber threats from becoming a cyber-attack. 

The cybersecurity landscape often acts like shifting sands, but certain key areas stand out as important. These include employee security awareness training to combat social engineering and the use of effective security solutions. Cyber insurance can also act as a fallback strategy to help alleviate some of the financial worries caused by a cyber-attack.

A Good Cyber Posture

A survey of 1,225 information technology and cybersecurity leaders [6] found that 79% had suffered a business disruption and/or financial loss in 2020 because of a lack of cyber preparedness. 

Cyber risk must be mitigated to allow an organisation to focus on its core business to thrive. When an organisation makes informed cyber risk decisions, it shows a higher level of preparedness and a good cyber posture. But managing cyber risk is not achieved using an on-off switch. Along with taxes and death, changes in the cyber threat landscape are a certainty; but responding to a changing target is challenging. By understanding where cyber risks lie, and what the best practice methods are in dealing with them, business owners can respond smartly and appropriately. A good cyber posture and risk mitigation is achievable, and the benefits are tangible.

For further details on each of the topics raised here, please feel free to contact me on r.palmer@enterprisedefence.

Knowing where you need to focus is much easier when you know where you stand right now.

Find out more on the Enterprise Defence website.

References:

  1. Risk Based Security
  2. Beazley Breach Briefing 2020
  3. Garda
  4. Atlas VPN
  5. Intersoft Consulting
  6. Ermetic
     
<<<<<<< HEAD