An Ongoing Project: A Cyber Risk Mitigation Strategy

BUSINESS & MANAGEMENT, SYSTEMS & TECHNOLOGY   |   4 minutes  |   March 26, 2019

GetSmarter Blog Image GetSmarter Blog Image  

Why do business owners and stakeholders consider cybersecurity risk prevention to be a top priority above other operations?1 A number of high profile data breaches in recent years, including the likes of British Airways and Facebook,2 are proving that no one is safe from cyber attacks. With cybercrime damage costs expected to reach $6 trillion annually by 2021,3 businesses of all sizes are rapidly taking countermeasures to contain risks through the implementation of cybersecurity strategies.

The true cost of a cyber attack

The damage of cybercrime can depend greatly on how resilient a company is and what cybersecurity strategy they have set in place.

According to a study conducted by Ponemon Institute, the average cost of a successful cyber attack to an organisation can be as much as $5 million, or $301 per employee.4 But dollars lost only accounts for the direct cost of a breach. The true costs can cut even deeper and some businesses never fully recover from a cyber attack.

Here are four factors that influence the indirect costs of a breach:

  1. Data loss
    According to recently collected data on cybersecurity, approximately 2.6 billion records were stolen, lost or exposed worldwide in 2017.5 The loss of this information racks up much larger bills than just the initial data recovery, leading to potential fines, penalties, and litigation for a business.
  2. Investor perception
    Once a breach happens, a sudden drop in a company’s perceived value is likely to follow. Negative media coverage can fuel the “sell now” groupthink, which could be the final nail in the coffin if your business is unable to stay afloat in the wake of an attack. This is especially true for smaller companies that don’t have the infrastructure.6
  3. average cost of a cyber attack average cost of a cyber attack  
  4. Reputation
    Companies don’t only lose current customers following a cyber attack; a damaged brand reputation means they also lose the potential to gain new ones down the road. A company’s brand is linked to all aspects of business, including growth and revenue. In fact, 85% of U.S. consumers are loyal to brands that safeguard and protect their personal information,7 meaning a data breach can have serious implications for the future of your business.
  5. Operational cost
    On top of loss of data, cybercriminals will sometimes focus their efforts on taking down a business’ online operations through DDOS attacks, which can lead to loss of customers, and ultimately money.8 This risk, in particular, is one that requires strategic resilience planning to overcome.

Mitigating attacks through cyber risk management

There are many ways an organisation can be deemed to be cyber resilient, but an important indicator is a deep understanding of cyber risk. This means going above and beyond IT considerations, by implementing cyber risk management into your overall business strategy.9

Organisations that have traditionally viewed cybersecurity as separate from other risks are now starting to see the bigger picture. Lori Bailey, Global Head of Cyber Risk at Zurich Insurance, says, “The goal should be to develop resilience and protection, because as cyber risks accumulate it becomes more difficult to anticipate them all.”10

To manage risk, a company needs to assess the likelihood and potential effects of a cyber attack and then determine the best way of dealing with them. Not all risks can be entirely avoided, and no organisation has an unlimited budget or enough staff to completely secure their network. Instead, risk management is about handling the effects of uncertainty in a way that makes the most sense through an effective use of resources.

The goal should be to develop resilience and protection, because as cyber risks accumulate it becomes more difficult to anticipate them all.

Business leaders and security operations managers need to ensure they are working together to make the right decisions in different areas of the business in order to be successful. Keeping track of cybersecurity is no longer just an IT function. With the threat of cyber attacks becoming increasingly damaging to business operations, it’s the responsibility of all departments to be vigilant.

GetSmarter Blog Image GetSmarter Blog Image  

Creating a cybersecurity culture

One of the most vulnerable areas for any organisation is its employees. According to IBM‘s annual X-Force Threat Intelligence Index 2018, human negligence remains the leading cause of data breaches, accounting for two-thirds of all the records compromised in 2017.11

Because of this, all employees are responsible for ensuring the network is kept safe. You could have the latest anti-virus technology, but inadvertent human error can still allow malicious software a way in.

Focusing on fostering a strong cybersecurity culture could possibly be a better defence against cyber threats than any single technological policy. A cybersecurity culture intends to make information security considerations an integral part of an employee’s daily life, and is only achieved by weaving cybersecurity through organisational procedures and practices, and maintaining active conversations with staff.

To ensure you follow best practice when it comes to your security, your plan should encompass the following:

  • Establish a cybersecurity compliance standard and data use policy for all employees12
  • Recognise potential threats, and the many forms they come in like phishing and ransomware13
  • Keep your work secure by using passwords with at least six characters, one of which should be a special character and it should also include at least one capitalised letter. Update these passwords at least every 30 to 60 days14
  • Teach employees to detect and report suspicious behaviour15

Key pointers: Strategising for cyber risk mitigation

Consider these procedures when creating your cyber mitigation strategy:

  1. Do hardware assessments
    Ensure that your business only uses ‘clean’ hardware. Don’t allow hardware that hasn’t been scanned for a potentially dangerous virus. After which, an inventory of key assets, data, systems and infrastructure is essential to the business’s operations in order to track them.16
  2. Secure wireless networks
    Encrypt wireless networks that company data is on. Utilise stronger AES (Advanced Encryption Standard) encryption and a complex passphrase to provide better security from stronger attacks. Filter users’ access to safe and necessary websites.17 Block unverified websites and websites that allow illegal downloading and streaming.
  3. Back up data
    All business data should be backed up. In the event of a breach, any lost data should be retrievable. Implement access control, limiting pertinent information on a need-to-know basis, to ensure privacy and protection.18
  4. Action software updates
    Cybercriminals are constantly evolving, so you have to prepare to be one step ahead. Make sure your software is as up-to-date as possible, to lessen the chances of a successful cyber attack.19
  5. Review insurance policies
    If all your hard efforts to prevent and stop data breaches still fail, cyber insurance should cover the business’ liability.20
  6. Go threat hunting
    Companies should take further steps to prevent attacks by hiring cybersecurity professionals like ethical hackers, penetration testers, and threat investigators21 to actively hunt for threats rather than only reactively defending their company data.

In order to optimise your cyber risk mitigation strategy, you need to manage cyber breaches before, during and after they happen through a proactive approach. In a world of ever-evolving threats, making sure you, your network, and your staff have what it takes to stay secure in the face of an impending attack is fundamental to surviving in today’s cyber landscape.

  • 1 Ashford,W. (Feb, 2019). ‘IT Priorities 2019: Cyber security and risk management among top priorities for 2019’. Retrieved from Computer Weekly.
  • 2 Leskin, P. (Dec, 2018). ‘The 21 scariest data breaches of 2018’. Retrieved from Business Insider.
  • 3 (2017). ‘Cybercrime damages $6 Trillion by 2021‘. Retrieved from Cybersecurity Ventures.
  • 4 Crowe, J. (Feb 2018). ‘10 Must-Know Cybersecurity Statistics for 2018’. Retrieved from Barkley.
  • 5 Ismail, N. (Apr, 2018). ‘Cyber security failings grow as 2.6BN records stolen or compromised in 2017’. Retrieved from Information Age.
  • 6 Eubanks N. (Jul, 2017). ‘The True Cost Of Cybercrime For Businesses’. Retrieved from Forbes.
  • 7 (Feb, 2017). ‘Organizations wasting billions on customer loyalty programs that don’t work like they used to’. Retrieved from Accenture.
  • 8 Weisman, S. (Nd). ‘What is a distributed denial of service attack (DDoS) and what can you do about them?’. Retrieved from Norton.
  • 9 Dobrygowski, D. (Jul, 2016). ‘Cyber resilience: everything you (really) need to know’. Retrieved from World Economic Forum.
  • 10 Bailey, L. (Apr, 2016). ‘Cyber risks spill over into the physical world‘. Retrieved from Zurich.
  • 11 (Mar, 2018). ‘ IBM X-Force Threat Intelligence Index 2018’. Retrieved from IBM.
  • 12 Hayslip, G. (Mar, 2018). ‘9 policies and procedures you need to know about if you’re starting a new security program’. Retrieved from CS Online.
  • 13 Rashid, F. (Oct, 2017). ‘Types of phishing attacks and how to identify them’. Retrieved from CS Online.
  • 14 Jones, B. (Sep, 2017). ‘How often do you really need to change your passwords?’. Retrieved from Psafe.
  • 15 Cooper, C. (May, 2017). ‘How to get your staff to take cybersecurity seriously’. Retrieved from CNET.
  • 16 Shein, M.D. (Jan, 2018). ‘Mitigating cyber risk in 2018’. Retrieved from Risk management.
  • 17 Woollven, C. (2017). ’5 ways SMEs can mitigate cyber security risks’. Retrieved from IT Governance.
  • 18 Woollven, C. (2017). ’5 ways SMEs can mitigate cyber security risks’. Retrieved from IT Governance.
  • 19 Woollven, C. (2017). ’5 ways SMEs can mitigate cyber security risks’. Retrieved from IT Governance.
  • 20 (Nov, 2018). ‘Cyber insurance and why you need it’. Retrieved from IT Web.
  • 21 Nelson, N. (Mar, 2018). ‘7 Jobs you didn’t know about in cyber security’. Retrieved from Woz-u.