Businesses struggle to define and quantify strategic cyber threats to their operations, leaving decision-makers unprepared and under-informed on the character, extent, and severity of the danger they're facing. As new sales technologies emerge, driving toward ever more efficient commerce, whether, within the B2B or B2C space, it's critical that organizations redefine cyber threats from one among a technical nature to comprehend cyber threats as a business risk.
A recent JLT sponsored survey by Harvard Business Review Analytic Services revealed a startling disconnect: while 85 percent of firms believe that the economic costs from cyber attacks will increase within the coming year, only 23 percent have adopted a strategic decision to address business risks. The combined failure to define hidden cyber threats in terms of their resultant business impacts – e.g., B2C losses, B2B sales impacts, and revenue or EBIDTA analyses – leaves businesses guessing what the impacts could be, an approach fraught with risk.
Three emergent trends pose unique risks which will challenge even the foremost sophisticated organizations: i) the scaling of cyberattacks, in terms of both severity and frequency, is posing strategic business risks; ii) systemic risks to internet viability require new approaches to modeling business continuity, and iii) the shifting economics of threats aren't well understood.
Scaling Impacts of Attacks
The increasing frequency and severity of cyberattacks still strain organizations’ ability to defend their operations effectively.
Illusion of Control
As the WannaCry and nonPetya viruses swept the world, impacting quite 100 countries and triggering billions in losses, many organizations fell victim to the illusion of control. The actual sense was that the victims were those running older systems like Windows XP. Yet, some exceptionally sophisticated organizations fell prey to those attacks creating significant B2B impacts and potential market share losses.
Network interruption attacks are getting increasingly daunting. The October 2016 attack on Dyn, a website name server company, was the most important DDoS attack witnessed so far, reaching 1TBps, PayPal, The NY Times, and Facebook operations, among many others. None of those companies were the targets of the attack, yet they fell victim to its effects.
Similarly, the compact coupling of our systems today points to the dangers of the system or human error. The Amazon Web Services S3 interruption impacting thousands of companies and therefore the Google error that reduced Japan’s internet traffic by nearly 50 percent suggest a fragility of our networks that is still elusive to define yet can present significant risks to just about any commercial activity and positively emerging sales technologies.
These incidents point to a requirement for a revised approach to modeling these cyber threats – whether adversarial or instruction – in much an equivalent way as organizations model natural catastrophe impacts to their operations. Said differently, as sales technologies still evolve, and ‘upstream’ and ‘downstream’ analysis of the danger must be conducted to spot where risk flows into a business and where it flows outbuilding third party liabilities and risking B2B effects. While IT departments rigorously screen its vendors for security concerns and legal teams review contract indemnity language for vendors, the new reality of huge impact and systemic risk impacts means ‘digital supply chain’ analyses must be conducted across the breadth of an organization’s activities.
In other words, large scale, and routine interruptions to critical parts of network traffic, and internet activity must be alleged for at important levels.
Shifting Economics of the Threat
Too often, leaders assume a linear approach to risk identification where critical IT systems or business processes are listed as single items during a risk register. However, true value compilation within firms results from the cross-section of multiple processes and systems. Yet, too few maps these intersections to really understand the worth in danger within a business. As emerging payment systems and new sales technologies proliferate, the importance of identifying ‘crown jewels’ and points of risk aggregation throughout a firm’s digital ecosystem will become even more critical.
Have we learned the incorrect lessons?
Ransomware and Business Email Compromise (BEC) dominate the headlines, and permanently reason. In 2016, it had been estimated that ransomware payments totaled quite $1B while BEC threats garnered nearly $5B over the past four years. Despite how significant these figures are within the aggregate, the risks to anyone organization are relatively small. However, the severity of the danger could also be changing.
When considered in light of the forthcoming European Privacy laws (GDPR, May 2018) where up to four percent of worldwide turnover could also be in danger, one can foresee new realities of elicit threats that will fluctuate the landscape as we consider new B2C sales technologies.
Even within this context, there's much we will (and must) do to counter today’s threats while preparing for tomorrow’s risks.
- Businesses must re-conceptualize cyber risk in business terms. By doing so, they will gain clarity around the true nature of first and third party liabilities, also as potential lost business opportunities
- Develop sensible metrics to gauge cyber risk.
i) measure the irregularity of cyber risk across business units;
ii) conduct a financial assay to capture revenue or EBITDA impacts; iii) evaluate the efficiency of venture capital against the volatility of the risk; and iv) examine the potential market cap impacts from cyber attacks
- Hedge the danger. Cyber insurance acts as a hedge against record impacts. during this manner, insurance works as a compensating control and will be viewed as an asset which will ‘compress’ financial impacts following a breach
Basically, businesses today face a war of erosion while they move to defend a growing dynamic attack surface. Unfortunately, organizations need to succeed a day, while attackers only need to succeed once. The asymmetry of things is overwhelming, yet the adoption of the latest approaches to mapping the danger, measuring the financial volatility of the danger, and evaluating the efficacy of its venture capital can position firms for fulfillment during this era of strategic insecurity.