By Holli Hagene
At this moment, many people and businesses thought by now things would be more or less back to normal, but it seems that the concept of the Remote Workforce will now be here to stay for a long time to come. Some good has come of this; corporate America is now understanding the need to embrace cyber risk on a much more serious level, and the gravity of trying to mitigate it as much as possible.
What Exactly Is Cyber Risk?
This term can have many different meanings to both the CIO and the CISO. But a good technical definition of it is as follows:
“Cybersecurity risk is the probability of exposure or loss resulting from a cyber-attack or data breach on your organization. A better, more encompassing definition is the potential loss or harm related to technical infrastructure, use of technology, or reputation of an organization.”1
At this point, you and your cybersecurity team are taking an inventory of all of the assets that you have in your company, both that are digital and physical in nature. From here, based upon a numerical category system that you choose to utilize, you rank all of them from being at the highest probability of being exposed to a cybersecurity attack to those that will have the least chance of being impacted. Once you have ascertained this, then you compute from a financial perspective what the estimated dollar loss will be in the event of a downtime. Of course, those assets with the highest chances of being impacted will most probably have the most dollar loss associated with them. But it is essential that you quantify this as much as possible, so you will know how to fortify your Cybersecurity Posture further.
How to Share Cyber Risk in Your Company
Now that you have a firmer idea as to what Cyber Risk is, there is a misconception that needs to be cleared up. It is often assumed that the IT department should bear the brunt of containing it; after all, it is their job, right? Well, quite frankly, the answer is no. In this regard, it is each and every employee all the way from the C-Suite down to the overnight cleaning crew that is responsible for this.
In other words, a new, radical way of thinking needs to be implemented quickly. So, how does one go about doing this? Here are some important points to consider:
1) You need to convey the true costs of Cyber Risk
At the present time, the average cost of a Cyberattack is well above $1.1 million, and there is only a 37% chance that your company will be able to fully regain their brand reputation in case it is has been impacted. With such high statistics, the odds are you may even have to close down operations, which will of course result in job loss. These numbers need to be conveyed to each employee in all of your departments so that they can come to grips with it, as well as understand the sheer importance of maintaining good levels of Cyber Hygiene in order to mitigate the risks of losing their employment.
2) Distribute responsibility accordingly
Employees are often considered to be the weakest link in the security chain. But they don’t have to be. According to the latest Verizon Data Breach Investigations Report, 93% of all Cyber- related breaches come down to phishing-related attacks. Had the employees of these organizations been given proper training, the probability of being hit in this aspect would be much lower. The subconscious view of this is that ok, so what if we are hit? Our Cyber specialists can fix it, right? Well, the answer to this is plainly wrong. The IT security teams are so overburdened these days they may not be able to respond quickly to cut down any further risk that has been posed by this scenario, thus increasing the chances that the Cyberattacker can cause even more damage. In the training that they should be given, you need to firmly emphasize to your employees that it is squarely their responsibility to keep an eye out for phishing email, and to respond to it appropriately by either deleting it or notifying the IT Security staff promptly. But, you need to give your employees the tools to do this and keep them updated on the latest trends in phishing variants so that they can do their part to cut down on this kind of Cyber Risk.
3) Share information and data with all parties
Today, there tend to be lines of division between the IT Department and the IT Security team. The former thinks that their job is to primarily make sure that the IT and Network Infrastructure are running at optimal levels, and the latter thinks that all they need to do is simply stay ahead of the Cyber threat curve. While these are their unique job functions, the truth of the matter is that the two should go hand in hand in order to keep your company well protected. Thus, any information/data about the Cyber threat landscape should not be kept in individual silos. It needs to be shared, to varying degrees, with all departments of your company that should have access to it. For example, research has shown that it takes at least 60 minutes (and probably even more) for a CIO and/or CISO and their teams to respond to a security breach. This is primarily due to the lack of communications flow that has been deployed. This response time needs to be cut down to just a matter of minutes. But this, of course, can only be done if those silos of information/data are shared between teams.
4) Deploy the right cybersecurity framework
One of the best ways in which you share the responsibility of Cyber Risk throughout your entire company is to implement a good framework, and the appropriate controls that will support it. Some of the more commonly used ones are as follows:
- The PCI DSS
- The ISO 27001/27002
- The NIST Framework for Improving Critical Infrastructure Security
While all of these are good, there is yet another good framework that is now making its splash. This is known as the “Zero Trust Framework.” In other words, you cannot trust anything in your environment. Everything and anything should be assumed to be a risk. The motto here is: “Never Trust, Always Verify.”
This article has provided a glimpse into what Cyber Risk is all about, and the importance of making the mitigation of it a collaborative effort throughout your entire company. A future article will do a deeper dive into the Zero Trust Framework, and some tips as to how you can implement it.