In today’s world, where nearly every company is partly or wholly internet-dependent, there is one term that is synonymous with business risk: cyber risk. In my position, however, I am surprised to often find that this threat doesn’t hold near as much weight in an organization as it should.
Cyberattacks happen, on average, every 39 seconds. And yet many businesses continue to overlook this threat. What we sometimes see, is that key decision-makers struggle to justify the costs of mitigating cyber risk, particularly if they haven’t experienced the damage it can do to a business first-hand. It’s easy to believe you are not susceptible to what you do not see. But as former Director of the FBI Robert S. Mueller said in his 2012 speech at the RSA Cyber Security Conference, “there are only two types of companies: those that have been hacked and those that will be.” This underscores everything that we at DYOPATH try to instill in our clients; if you think your business is safe because you haven’t had a security breach yet, in less than a minute, that could change.
Cyber risks have never been higher within organizations. As tech innovations and advances continue to drive business performance and strategy, cybercriminals rise to meet the challenge. Fundamental business moves such as globalization, cloud migration, outsourcing, and third-party network relationships all increase this risk. But a business isn’t going to simply cease its operations to avoid risk. After all, running a business, if not managed properly, can be a huge risk.
Ultimately, it comes down to evaluating risk vs. reward. So, what exactly are businesses risking here? To explain, I’ll start by describing what cyber risk really is.
Defining Cyber Risk in Business
Cyber risk is the potential for exposure, harm, or loss resulting from attacks or breaches related to an organization’s technical infrastructure or technology use. A cyberattack is the attempt to carry out this risk by disabling computers, stealing data, or using breached systems to send additional attacks. A data breach is the exposure of confidential information, often times the result of a cyberattack.
Anyone is susceptible to cyber risk, from small businesses to school districts to high-level enterprises and governments. Organizations can be the target of cyberattacks for a variety of reasons, including financial fraud, information theft, service disruptions, or infrastructure disablement. Many organizations think solely of cyberthreats from outside of their organization, however, a large majority of incidents actually occur from within, where the intent behind them can be either deliberate or accidental.
For instance, an external, malicious attack might come from outside of your organization, such as a cybercriminal hijacking your data with ransomware. In contrast, an internal and unintentional data breach may occur from an employee using a weak security password to protect the private data of your customers. While the occasional disgruntled employee commits a cyberattack, the majority of internal threats are accidental, caused by carelessness or lack of security awareness and training.
Many organizations just aren’t taking cyber risk seriously enough, and yet they often have a large amount of sensitive data that, if compromised, could jeopardize their reputation, and spread exposure within and outside of their company. This sensitive data might include:
- Intellectual property
- Regulated data
- Product data and research
- Financial and personal staff information
- Financial and personal customer information
- Source code
As you can see, cyber risk is not just a problem for your IT department. Rather, it should be regarded as one of the most destructive sources of risk in your organization. In fact, the results of cyber security failures can be so detrimental to an organization, that it is not uncommon for high-level executives to lose their positions for failing to implement the proper security measures. Because of this, it is becoming increasingly expected for boards of directors and executives to integrate cybersecurity solutions into their overall strategy.
Quantifying the Damages of Cyber Risk
The damage to an organization caused by cybersecurity failures can be seen in both quantifiable and qualitative costs. Monetary losses can incur from lost productivity and revenue (caused by downtime and/or diminished brand equity), threat remediation, incident response, regulatory fines, legal costs, and rebranding efforts.
In the case of a data breach, the costs can be astronomical. In the 2019 report released by IBM and the Ponemon Institute, they found that in the U.S., the average total cost of a data breach was more than $8 million per company at $242 per stolen record. The same study estimated an average of 279 days for organizations to identify and contain the breach.
Qualitative costs can be just as damaging, in some cases more so, and are often much longer-lasting. With the loss of intellectual property, businesses are vulnerable to a decreased market share and competitive advantage. And the loss of consumer trust can be catastrophic, sometimes completely eliminating a business’s chance of rebounding. This is especially the case when the security failure could have been avoided with proactive measures such as a strong security posture and solid security training. Unfortunately, once the word gets out about a company’s failure to protect their data, people won’t easily forget.
Unmanaged cyber risks will expose an organization to an endless host of vulnerabilities, ranging in consequences from data disruption to financial impoverishment and closure. Cybersecurity measures may seem like an unnecessary business expense at the moment, but when you compare it to the aftermath of an attack, it makes the cost of security seem like spare change.
How Susceptible is Your Organization?
Whether you are a small business, an educational institution, a federal agency, or a multimillion-dollar enterprise, you are not immune to cyber risk. So, as daunting as it sounds, every type of organization is susceptible, even the ones that have security measures in place. The difference is in how your organization is able to respond to this risk. Your organization will likely fall into one of three categories: (1) you have no security measures in place, leaving you most vulnerable to becoming a victim and accruing the highest costs, (2) You have one or two-point products, such as anti-virus or firewall protection, but are still left with large gaps in your security coverage, or (3) you have a customized, holistic solution in place, including rapid endpoint detection and incident response, vulnerability management, email security, and security awareness training, placing your organization in the best possible position for risk mitigation and avoiding costly breaches. This third category is the level of Advanced Security Services we provide at DYOPATH with our Managed Security Offerings.
Organizations must determine the level of acceptable risk they are prepared to tolerate in relation to what they are willing to invest to manage that risk. Key stakeholders need to consider the following questions:
- What data do we have that could cause personal harm to others (employees, students, customers, partners, etc.)?
- What data must, under all circumstances, remain confidential and private?
- What aspects of the business can we live without and what is the acceptable timeframe for this downtime?
- What losses would be catastrophic if experienced?
Determining the level of acceptable risk is more than just a technical conversation – it’s a strategic one. This encompasses cyber risk, operational risk, and business risk as a whole and interwoven system, where each risk is prioritized for its potential impact. At DYOPATH, we work closely with our clients to determine their level of acceptable risk, performing audits, penetration testing, and vulnerability scans. Many of our clients come to us with increased security concerns or compliance changes, and our security experts’ guidance positively impacts their ability to focus on their core business while meeting their needs.
Being immersed in this threatening environment daily, I understand the delicate balance trying to determine the appropriate level of security investment and balancing risk over reward. But I firmly believe a business requires constant investment, and by investing back into your business, you are gaining lasting success. Cyber risk is not something that can be completely eliminated; the risk will always be there. However, with comprehensive IT security management, DYOPATH can help you successfully balance your business risk with your security risk to facilitate business continuity and a heightened security posture that will keep your organization moving forward.
Thank you for taking the time to read this blog. As part of our “Cyber Risk is Business Risk!” campaign, we are aiming to educate business leaders on the serious impact that cybersecurity has on organizations. I have two more blogs coming up on the urgency of cybersecurity today and the risk of relying on reactive cybersecurity measures.
You can learn more about DYOPATH and our Advanced Security Services by visiting our website.
Chuck Orrico, Executive Vice President
DYOPATH
About the author: Chuck Orrico is the Executive Vice President (EVP) at DYOPATH. He is responsible for leading strategic growth initiatives across both sales and marketing. Chuck has more than 35 years of experience in helping clients develop business solutions through IT strategic planning, information management, and technology investment. Today, his entrepreneurial spirit and keen business acumen have helped DYOPATH maintain its focus on quality, which has resulted in improved business operations for its clients. His leadership is grounded in mentorship, business growth, and client satisfaction. His passion for DYOPATH comes from the culture, values, and working with “A” players.