The threat of cyber attacks, and the potential impact on corporate balance sheets, is expected to grow. Technological advances in areas such as generative AI and automation have strengthened threat actors, leading to new and evolving threats. In this context, it becomes increasingly crucial that corporate boards align their organizations’ cyber risk management with their business needs. Cyberattacks are, above all, a risk to the integrity of a company. They can damage the most fundamental components of a company, from the integrity of customer data to the IT infrastructure, while affecting the intellectual property, reputation, valuation and even the morale of the company’s staff. How should board directors and senior leaders manage this type of business risk? Knowledge brings power, and the more corporate leadership knows about the impact of cyber risk on the business, the better they can provide effective leadership.
As the leader of a cybersecurity company, I have firsthand experience of the degree to which companies have been subjected to cyberattacks. We’ve all seen recurring ransomware headlines; But companies also face Distributed Denial of Service (DDoS) attacks, supply chain breaches, and phishing attacks, among others.
According to a recent Forrester report, one billion records were exposed in the top 35 breaches last year; $2.6 billion stolen in top nine cryptocurrency breaches; and $2.7 billion in fines imposed on the top 35 offenders. These are just some examples:
- Slips$ claimed to have stolen 1 terabyte of crucial data from semiconductor chip company Nvidia. They demanded a million dollars rescue and made additional demands.
- Google put down a DDoS attack on a Google Cloud Armor client, comparing it to “receiving all daily requests to Wikipedia (one of the most trafficked websites) in just 10 seconds.”
- The company’s shares plunged when authentication company Okta announced that the records of about 2.5% of its customer base were exposed in a attack on the supply chain.
- A new maximum was recorded for identity fraudwith more than 1,270,000 attacks recorded in the third quarter of 2022 alone, according to the Anti-Phishing Working Group.
The cost of a data breach
The average cost of a data breach reached $4.35 million in 2022, according to IBM’s Cost of a Data Breach Report 2022, representing an increase of 2.6% from 2021 and an increase of 12.7 % since 2020.
For ransomware, the costs are different: The median payment in 2021 was about $1.85 million, more than double the $760,000 figure from 2020, according to a SpyCloud report.
And these are just direct costs; indirect costs are higher. They include:
- Lost business, due to business interruption and lost revenue
- Lost customers and the cost of acquiring new ones
- Loss of reputation and decrease in goodwill
- Regulatory fines and court proceedings, when attacks give rise to class action lawsuits
Cyber threats are growing
Rising geopolitical tensions, particularly around the Russia-Ukraine conflict and US-China relations, have created a spillover effect in which state-sponsored cyberwarfare is affecting the private sector. Simply put: companies often become collateral damage.
The threat of cyber attacks, and the potential impact on corporate balance sheets, is expected to grow. Technological advances in areas such as generative AI and automation have strengthened threat actors, leading to new and evolving threats.
In this context, it becomes increasingly crucial that corporate boards align their organizations’ cyber risk management with their business needs.
Cybersecurity as a key business risk
Cyberattacks are, above all, a risk to the integrity of a company. They can damage the most fundamental components of a company, from the integrity of customer data to the IT infrastructure, while affecting the intellectual property, reputation, valuation and even the morale of the company’s staff.
How should board directors and senior leaders manage this type of business risk? Knowledge brings power, and the more corporate leadership knows about the impact of cyber risk on the business, the better they can provide effective leadership.
Cyber risk balances can provide information
According to the World Economic Forum report, Principles for Board Governance of Cyber Risk, 37% of organizations strongly agree that quantifying risk leads to better cyber risk management. But what is the best way to quantify the risks?
A cyber risk balance is a way to map the potential financial impact of cyber events. Creating a balance involves:
- Standardization: Select a cyber risk quantification framework, for example by leveraging Factor Analysis of Information Risk (FAIR), an international standard quantitative modeling framework that provides information security and operational risk.
- Priorization: Definition of the main cyber threats of an organization and quantification of the probability of these threats
- Mapping: Connect the probability of cyber threats to cyber risks in financial terms and associate them with future cyber investments
This creates a ledger that chief information officers (CISOs) can use to describe the business case for cybersecurity efforts that show a positive return on investment.
How corporate boards should manage cyber risk
The Cyber Risk Board Governance Principles introduces six principles for boards to get started:
- Understand that cybersecurity is a strategic business enabler: Businesses need to look at cybersecurity in the context of strategic implications, as part of business risk.
- Understand the economic drivers and impacts of cyber risk: Businesses should define cyber risk appetite in financial terms to help inform decision making.
- Align cyber risk management with business needs: Management must integrate cyber risk analysis into business decisions.
- Ensuring that the organizational design supports cybersecurity: Management must ensure that the cyber security function is adequately represented.
- Incorporate cybersecurity expertise into board governance: Regular sessions between management and the board should provide updates on incidents, trends, and vulnerabilities.
- Foster systemic resilience: The board should ensure that management has plans to improve resilience through collaboration with the public sector.
Finding the Right Balance: From a Business Perspective
Boards need a deep understanding of the main risks facing the company and must be able to quantify their potential impact. Decisions about cost investments can be weighed against the potential cost of No taking action.
By aligning cyber risk management with business needs, organizations can create a security profile that aligns with the defined risk appetite. This process requires fostering collaboration between the CISO, CTO, and CIO functions, all of whom must be involved in the analysis of each cyber scenario.
Through this approach, the board can request to see a real reduction in risk. In parallel, security leaders can build allies within business units by helping them reduce the risk of business impact.
Mapping the “Crown Jewels”
The first step in managing cyber risk is to prioritize where to locate. Organizations can leverage an industry framework like MITRE ATT&CK to provide insight into blind spots through consolidated threat visibility. MITRE provides a foundation for security operations teams to develop and design a framework for detection rules, which are specific to an organization’s unique threats and vulnerabilities.
Frameworks like MITRE allow you to improve coverage and response to threats by looking at parameters such as industry, geolocation, and leadership. With MITRE, organizations can identify which threats, as well as which aspects of the technology landscape, are most likely to cause harm. By using MITRE to map key business assets, a customized plan can be developed to reduce business risk.
Given the impact of the macroeconomic downturn, the biggest question facing many senior executives is how to maintain effective cybersecurity with more limited resources. That’s where automation and artificial intelligence (AI) come in, as they have the potential to lower the cost of mitigating risk.
Based on IBM’s Cost of a Data Breach by 2022, organizations implementing AI and automation incurred $3 million less, on average, in breach costs. AI was its biggest cost saver; those who implemented AI and automation detected breaches faster, minimizing the impact on operations. Another cost-cutting strategy involves advanced cloud solutions that dramatically save on storage and data ingestion costs.
Start by getting the right talent
To achieve all this, organizations must have the right talent. But that’s easier said than done. Simply put: there are more cybersecurity jobs than the number of professionals available. According to the (ISC)2, the cybersecurity workforce grew to 4.7 million people in 2022, the largest number of workers ever recorded. However, more than 3.4 million positions were still open. This is a raw situation.
Managed detection and response (MDR) can address the lack of available talent. MDR providers are outsourced services that can provide organizations with advanced security operations capabilities and work collaboratively with those organizations to remediate threats once they are discovered. They offer access to top professionals who provide insight into roadmap decisions and who can handle existing, new, and evolving threats. Businesses find that an advanced MDR service provider makes it possible to do more with less, while maintaining scalability and keeping the countdown.
In today’s climate, MDR providers are becoming increasingly relevant. It’s not just about resources and how to use them, but also about how to build a roadmap moving forward. Shifting the approach to assessing cybersecurity as a business risk, while investing efforts specifically on the threats that pose the greatest danger, can help ensure that a business is prepared to detect and respond quickly enough to protect the organization’s key assets. . And that’s the real goal.
With the ever-increasing threat of cyberattack, business leaders should think about cybersecurity as a strategic business enabler. By illustrating the business case for cybersecurity—aligning cyber risk management with an organization’s business objectives—it is possible to make current and future decisions about the organization’s cyber health in terms the board can understand.