An Ongoing Project: A Cyber Risk Mitigation Strategy

Why do business owners and stakeholders consider cybersecurity risk prevention to be a top priority above other operations?¹ A number of high profile data breaches in recent years, including the likes of British Airways and Facebook,² are proving that no one is safe from cyber attacks. With cybercrime damage costs expected to reach $6 trillion annually by 2021,³ businesses of all sizes are rapidly taking countermeasures to contain risks through the implementation of cybersecurity strategies.

The true cost of a cyber attack

The damage of cybercrime can depend greatly on how resilient a company is and what cybersecurity strategy they have set in place.

According to a study conducted by Ponemon Institute, the average cost of a successful cyber attack to an organisation can be as much as $5 million, or $301 per employee.⁴ But dollars lost only accounts for the direct cost of a breach. The true costs can cut even deeper and some businesses never fully recover from a cyber attack.

Here are four factors that influence the indirect costs of a breach:

1. Data loss
   According to recently collected data on cybersecurity, approximately 2.6 billion records were stolen, lost or exposed worldwide in 2017.⁵ The loss of this information racks up much larger bills than just the initial data recovery, leading to potential fines, penalties, and litigation for a business.
2. Investor perception
   Once a breach happens, a sudden drop in a company’s perceived value is likely to follow. Negative media coverage can fuel the “sell now” groupthink, which could be the final nail in the coffin if your business is unable to stay afloat in the wake of an attack. This is especially true for smaller companies that don’t have the infrastructure.⁶
 
3. Reputation
   Companies don’t only lose current customers following a cyber attack; a damaged brand reputation means they also lose the potential to gain new ones down the road. A company’s brand is linked to all aspects of business, including growth and revenue. In fact, 85% of U.S. consumers are loyal to brands that safeguard and protect their personal information,⁷ meaning a data breach can have serious implications for the future of your business.
4. Operational cost
   On top of loss of data, cybercriminals will sometimes focus their efforts on taking down a business’ online operations through DDOS attacks, which can lead to loss of customers, and ultimately money.⁸ This risk, in particular, is one that requires strategic resilience planning to overcome.

Mitigating attacks through cyber risk management

There are many ways an organisation can be deemed to be cyber resilient, but an important indicator is a deep understanding of cyber risk. This means going above and beyond IT considerations, by implementing cyber risk management into your overall business strategy.⁹

Organisations that have traditionally viewed cybersecurity as separate from other risks are now starting to see the bigger picture. Lori Bailey, Global Head of Cyber Risk at Zurich Insurance, says, “The goal should be to develop resilience and protection, because as cyber risks accumulate it becomes more difficult to anticipate them all.”¹⁰

To manage risk, a company needs to assess the likelihood and potential effects of a cyber attack and then determine the best way of dealing with them. Not all risks can be entirely avoided, and no organisation has an unlimited budget or enough staff to completely secure their network. Instead, risk management is about handling the effects of uncertainty in a way that makes the most sense through an effective use of resources.

The goal should be to develop resilience and protection, because as cyber risks accumulate it becomes more difficult to anticipate them all.

Business leaders and security operations managers need to ensure they are working together to make the right decisions in different areas of the business in order to be successful. Keeping track of cybersecurity is no longer just an IT function. With the threat of cyber attacks becoming increasingly damaging to business operations, it’s the responsibility of all departments to be vigilant.

Creating a cybersecurity culture

One of the most vulnerable areas for any organisation is its employees. According to IBM‘s annual X-Force Threat Intelligence Index 2018, human negligence remains the leading cause of data breaches, accounting for two-thirds of all the records compromised in 2017.¹¹

Because of this, all employees are responsible for ensuring the network is kept safe. You could have the latest anti-virus technology, but inadvertent human error can still allow malicious software a way in.

Focusing on fostering a strong cybersecurity culture could possibly be a better defence against cyber threats than any single technological policy. A cybersecurity culture intends to make information security considerations an integral part of an employee’s daily life, and is only achieved by weaving cybersecurity through organisational procedures and practices, and maintaining active conversations with staff.

To ensure you follow best practice when it comes to your security, your plan should encompass the following:

• Establish a cybersecurity compliance standard and data use policy for all employees¹²
• Recognise potential threats, and the many forms they come in like phishing and ransomware¹³
• Keep your work secure by using passwords with at least six characters, one of which should be a special character and it should also include at least one capitalised letter. Update these passwords at least every 30 to 60 days¹⁴
• Teach employees to detect and report suspicious behaviour¹⁵

Key pointers: Strategising for cyber risk mitigation

Consider these procedures when creating your cyber mitigation strategy:

1. Do hardware assessments
   Ensure that your business only uses ‘clean’ hardware. Don’t allow hardware that hasn’t been scanned for a potentially dangerous virus. After which, an inventory of key assets, data, systems and infrastructure is essential to the business’s operations in order to track them.¹⁶
2. Secure wireless networks
   Encrypt wireless networks that company data is on. Utilise stronger AES (Advanced Encryption Standard) encryption and a complex passphrase to provide better security from stronger attacks. Filter users’ access to safe and necessary websites.¹⁷ Block unverified websites and websites that allow illegal downloading and streaming.
3. Back up data
   All business data should be backed up. In the event of a breach, any lost data should be retrievable. Implement access control, limiting pertinent information on a need-to-know basis, to ensure privacy and protection.¹⁸
4. Action software updates
   Cybercriminals are constantly evolving, so you have to prepare to be one step ahead. Make sure your software is as up-to-date as possible, to lessen the chances of a successful cyber attack.¹⁹
5. Review insurance policies
   If all your hard efforts to prevent and stop data breaches still fail, cyber insurance should cover the business’ liability.²⁰
6. Go threat hunting
   Companies should take further steps to prevent attacks by hiring cybersecurity professionals like ethical hackers, penetration testers, and threat investigators²¹ to actively hunt for threats rather than only reactively defending their company data.

In order to optimise your cyber risk mitigation strategy, you need to manage cyber breaches before, during and after they happen through a proactive approach. In a world of ever-evolving threats, making sure you, your network, and your staff have what it takes to stay secure in the face of an impending attack is fundamental to surviving in today’s cyber landscape.