The term cyber risk is often used to describe a business’ overall cybersecurity posture, i.e., at how much risk is this business, given the measures it has taken to protect itself. It’s often coupled with the idea of cyber insurance, the necessary coverage between what a company can do security-wise, and the threats it faces day in and day out. Cybersecurity used to belong exclusively in the realm of Information Technology, one of many business silos that while important, was only a small piece of the business and as such, often delegated to a C-level manager who interfaced with other executives as necessary. Today’s businesses have outgrown this model, as what used to be considered information technology has grown to encompass business itself, permeating every aspect of it, governing its speed, its range, its possibilities. As a CEO or CFO, the way your business handles information technology and begins to foster cyber resilience, reflects the way you think about your company and its place in the contemporary market.
A recent Nasdaq report found that “91% of Board Members at the most vulnerable companies can't interpret a cybersecurity report.” Given that breaches doubled in 2016, the knowledge gap between executives and IT must be bridged. The first step in bridging that gap is to identify why cyber risk should be a business priority for any executive. The goal isn’t to turn CEOs, CFOs and other business leaders into technologists, but for businesses to adapt to the digital landscape in which they exist. This requires effort from both management and IT to find middle ground in a relationship that has often been difficult, but the rewards from doing so extend far beyond preventing major breach incidents to affecting day to day business processes so managers and IT professionals can work together with reasonable expectations and grounded knowledge in what the other needs.
When we talk about cyber risk, what’s most often at risk is the personal information of customers. Whether credit card info, medical records, addresses and phone numbers, or any other kind of sensitive information, the goal of a data breach is to acquire and exploit this information in a way that can have a serious impact on the lives of the people to whom it belongs. Before even delving into the business considerations, remember that real people will be affected if their data is compromised and that the process of undoing that damage can be tedious, stressful and expensive.
This should be the obvious one. Data breaches are expensive. There are so many vectors impacted financially by a serious data breach that it can be difficult to list them all, but among them are: falling stock prices, investigative and forensic efforts, identity protection services for affected customers, PR initiatives and media, and legal consulting and fees (not to mention possible action.) Indirect financial costs include loss of customers, both current and potential, acute, reactionary cybersecurity remediation, and any outage time incurred during investigation/remediation.
Even less serious attacks like ransomware can cost a company tens of thousands of dollars if they are not prepared to deal with it. While perhaps small compared to the multimillions lost by large scale data breaches, ransomware hits large and small companies equally and the financial impact can be considerable, not to mention embarrassing.
Finally, as cyber insurance becomes more and more the norm, pricing for policies will become contingent on security posture. Rates for companies with fewer security measures will be higher, and incidents such as breaches that bring claims against the insurance will raise the rates even further, like when you have an at-fault accident in your car. To successfully manage the price of cyber insurance, companies will need a proactive cyber risk strategy to both document security posture and prevent costly incidents.
Other than customer data, or possibly company financial data, another major target of cyber attacks is proprietary business data, such as plans, code and other intellectual property, or strategy and communications, such as email, voice mail and shared documents. For many companies, this data is their business. If it becomes public, or is sold to competitors or a state entity, the profitability of the breached company could be severely harmed. Digital documents are the lifeblood of most businesses and their disclosure is a business problem, not an IT problem. Even external partners can imperil shared data, highlighting the importance of vendor risk assessment questionnaires in choosing such third-party firms.
Data breaches receive quite a bit of media attention, as they likely should, given their impact. For a company, this can mean (at best) a difficult period of weathering a storm of criticism, mockery and lack of confidence. If people associate your brand name with a data breach incident, it’s unlikely that they would choose to use your services or product at a later point in time, regardless of what measures you’ve taken since then. Current customers may be motivated to switch to a competitor if they feel they can no longer trust a company with their information. Furthermore, a company with a known breach may be a beacon to other cyber attackers, who will assume that the company has weak security. The increase in attacks could mean a whole new incident if the problems that allowed the initial breach aren’t remediated immediately.
The reputation issue extends beyond the company entity to the executives managing it. Lawsuits brought by shareholders against the private individuals running a company are not only possible, but commonplace in the wake of a major breach. Negligence regarding cyber security may cost a CIO or CTO her job, but it can cost a CEO her livelihood and career, if she, like the company, becomes associated with a widely reported data breach. The reason behind this is simple: customers don’t care about the inner divisions between management and IT, between business leaders and technologists. The buck stops with the CEO, and that is what customers, shareholders and journalists will expect.
The causes of cyber security incidents may be technological in nature, but their effects are purely business effects, and as such the business is measured and judged by them. Because of this and the reasons mentioned above, it is crucial that executives incorporate cyber risk into their business strategies, including even with external partners via vendor risk assessments, and begin addressing it as the important, integrated business operation it is. To accomplish this, an unprecedented level of visibility is required inside the data center and out.
Inside, IT professionals need the visibility to know what is going on in their systems, to know what configurations are where, what systems are compliant, and which require remediation. Outside, executive management needs the visibility to understand the business’ cyber security posture without becoming technologists themselves. This is the essence of cyber resilience, mitigating risk. UpGuard provides a single pane to accomplish both of these goals. Our configuration monitoring and continuous testing ensure that systems are visible and inventoried, and that changes are monitored, logged and the appropriate people notified. Our search engine and easy to use interface mean no time wasted learning the tool and more time spent on protecting assets.
UpGuard also provides CSTAR, the first all-encompassing security posture score and executive summary that visualizes an organization’s internal and external security into one number, similar to a credit score. Cyber risk is about establishing enough security to keep your business reasonably protected, while establishing enough visibility to head off major incidents and keep management and insurers informed on the state of IT.