Risks and Considerations of Cybersecurity

Businesses, financial institutions, the government, and the public sector have reaped the rewards of advances in information technology. However, data is a valuable commodity and managing the risk of exploitation has become an industry-wide priority.

In this video, Eric Rosenbach, Course Convener in the Harvard VPAL Cybersecurity: Managing Risk in the Information Age online short course, discusses the risks companies face in the aftermath of a cyberattack, from operational incapacity, financial loss, reputational harm, and litigation.

Transcript

Information technology has made huge advancements on the way that an organization can run.

However, with all of those advances comes new risks.

So, there are three important risks that I want you all to understand. The first is Business Operational risk, the second is Legal and Litigation risk, and the third is Reputational risk.

First, when you think about Business Operational risk, this literally means the risk that a cyberattack would take down your core operation in a way that prevented you from either delivering goods and services, accomplishing your mission, or – when it comes down to it in the private sector – just making money.

If you, for example, were targeted and you’re hacked, and you were no longer able to process payments, because the credit card system had been hacked, that has a big business impact.

You’re not able to process payments and, thus, you’re not able to bring in money and conduct sales.

Think about the Department of Defense, where I used to work, business operations are very important. We placed a high priority on our cybersecurity because we did not want to be in the situation where our network was down and, thus, we couldn’t fly aircraft; we couldn’t deliver precision munitions.

Also, think about it in the banking sector. And a good case is the case of the Iranian attack on the financial services, where they conducted DDoS, which prevented customers from coming to their public-facing website, process payments, and get their business done.

The next thing I’d like to talk to you about is Litigation risk and Legal risk. So, when one of these cyberattacks happens, really, one of the things that can pose the biggest risk to a private sector firm, in particular, is Litigation risk. That means that some of the activities that resulted from the hack will result in lawsuits against your firm and your executives.

In Target, for example, there was a shareholder derivative suit. That meant all the holders of Target stock sued the board and the executives of Target because they felt that their reaction to the attack was not good. That costs the firm money and then lowers their profit.

Another form of Legal risk is Criminal Legal risk. When there’s a hack, usually, some aspects of the criminal code is influenced and implicated. And that means you’re going to be dealing with the FBI, or other law enforcement agencies, depending on how it’s set up in your country.

That also can present a reputational risk problem because now people see that you’re mixed up with a criminal lawsuit.

Finally, I want to talk to you about Reputational risk. This is really important to understand. And it really drives and flows from those first two risks that I talked to you about.

So, for example, if you’re hacked and your business operations go down, then you can expect that your reputation is going to suffer because customers are accustomed to being able to depend on you for the service.

In the case of the financial services who were attacked by the Iranians; consumers who were used to be able to go their webpage, do all their banking transactions and then move on. When they can’t do that, their opinion of you and your firm goes down, it diminishes, they start to question whether you’re a credible organization.

Here’s another perfect example that can have a real financial impact: Yahoo disclosed major hacks over a period of time that gave the impression to people who were considering doing a merger and acquisition with Yahoo that they weren’t competent in their handling, either of their cybersecurity, the litigation, or the public affairs. It hurt their reputation as a firm to the point that it really drove down the cost and the transaction.

So, reputational risk is something that seems intangible, but is really important, and something that you need to think about consciously.

The best way to really understand these risks that I’ve just talked about is for you to think critically about your own work now, maybe your own firm, if you work in the government, your organization’s mission. And think through, from your perspective: How could these risks come into play with where I work right now?