No business risk in the 21st century has created more challenges and concern to boardrooms and C-suites than cybersecurity risk.
Reputations have been destroyed with customers and shareholders, and recent lawsuits have raised questions challenging the integrity of senior executives when faced with managing the impact of a cyber-attack. The media have been unforgiving and it is very clear that no nation, industry sector, company or individual is immune. For this reason, it is clear that responsibility for cybersecurity starts at the top – and oversight of a comprehensive and measurable risk management programme sits with the executive leadership teams.
Today, the cyber risk has extended far beyond being “an IT problem.” It has become a serious issue of business continuity and core responsibility of executives of businesses of any size to protect shareholder value.
The World Economic Forum Global Risks Report 2018 identifies cyber-attacks and data fraud or theft as the joint 3rd biggest risk in terms of likelihood that highlights a clear and present danger of “if not when” an organisation will suffer the impact of loss caused by a cyber-attack.
Cyber risk ultimately poses a threat to the balance sheet, however brand damage and an overall threat to confidence is what should be on every business leaders mind. If an attacker were to gain access to your Information Technology (IT) or Operational Technology (OT), there are many ways in which they can cause serious harm.
The following consequences are very real as a results of the technology growth factors that have shaped the risk landscape:
- Data breach – Sensitive information such as personal data including Personally Identifiable Information or Healthcare Information is accessed, lost or leaked. This is covered by many US and European Regulations as confidential to your organisation.
- Transactional fraud – compromised business email accounts or social engineering attacks through manipulation that lead to fraudulent electronic payments.
- Cyber Extortion and Ransomware – Information which an attacker threatens to expose by blackmailing the victim into paying them and/or; data that inaccessible because it is encrypted until a ransom demand is paid to the attacker.
- Network Security liability – causing damage to a third party because of transmitting malware on to their IT systems.
- Business interruption and Disruption – caused by operational error or malicious software (malware) causing your own or third party services to be unavailable for a period of time.
- Reputational Damage – information revealed that could have short or long term consequences of your own reputation or that of third parties such as suppliers or customers.
- Intellectual Property theft – unauthorised access and theft of critical insights and knowledge such as market sensitive data, corporate strategy plans, designs and trade secrets – including merger and acquisition data.
- Espionage – gaining access to commercial secrets and data not always necessarily owned by the organisation, such as unreleased film scripts and high net worth individual insurance polices.
- Sabotage – deliberate damage to an organisations ability to operate and potential physical damage to assets.
- Embarrassment – Revealing material that could cause humiliation for staff, shareholders and third parties.
- Internal reputation – Exposing data which could lead to rumour spread and create fear, uncertainty and doubt amongst employees in an organisation.
For these reasons, it is critical that organisations remain vigilant and proactively address ways in which to deter, prevent, detect, respond and recover from cybersecurity breaches.
It is also important that every business leader asks themselves and their enterprise risk teams (political, financial, and operational and security) the following key questions:
- What does cyber risk mean to them?
- Who is a threat to them and why?
- What measures seem proportionate to treat the risk their organisation faces?
- What is a reasonable price to pay for that mitigation?
With this ever evolving and growing threat to business survival, Cyber Risk should find itself firmly near the top of every organisation’s Enterprise Risk Register with the necessary resources being thrown at it to effectively mitigate such a critical risk.
If this subject is not being discussed regularly on the Board and C-Suite level, then organisations need to start educating their leadership teams so that cyber risk management can get the ‘top-down’ support it requires.
GoldPhish produces leading cyber risk solutions that help build more secure organisations. Through web-based education and consulting we empower local and international organisations to better understand, assess and manage the cyber risk to their business.
GoldPhish is a unique blend of UK and South African Security and IT professionals with CV’s spanning across the UK Military, Oil and Gas, Maritime, Financial Services and Telecommunications sectors. Our teams have worked with multiple high risk industries and international government agencies. We have built world-class training, education and communication programmes; consulted and advised on implementing layered security and led in crisis management situations.
Find out more about products and services provided by GoldPhish