Adam Vincent, Co-Founder and CEO of ThreatConnect, explores the increasing risk of cyber attacks and the serious financial damage they can cause.
Recent high-profile incidents, including the ransomware attacks against the Colonial Pipeline system and JBS USA, the world’s largest meat processor, demonstrate the urgent need for critical infrastructure owners and operators to adopt a risk-led cyber security program. It is becoming clearer by the day that these major firms are not having the proper risk conversations between their cyber security experts and business executives.
Cyber security must be treated and communicated to executives the same way as other critical business risks. “Cyber security is now a critical enabler for most businesses to continue operating,” said Michael Daniel, President & CEO of Cyber Threat Alliance, in a recent interview. “And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”
Organisations should be quantifying risk – including cyber risk – based on potential financial and operational impact. The process of doing so creates a common goal that unifies security teams and business leaders. My firm, ThreatConnect, recently conducted a survey and found that 70% of security professionals received “medium to high levels of pressure to produce cyber risk quantification data for their business.” A more telling aspect of the survey, however, showed that half of the respondents said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritise vulnerabilities and security alerts, and justify their future investments to mitigate those risks. The reason for this is two-fold:
41% of respondents said they do not have a formalised process in place to evaluate and rank cyber risks.
25% said they do not have cyber risk quantification technology deployed at their company.
Unfortunately, the only way to completely eliminate risk is to cease operations. Understanding that there’s always going to be some residual risk, the question then becomes; what is the risk appetite of the business? A good way to determine this is to zero in on your organisation’s key value proposition and then think about the mechanisms by which a cyber incident could undermine those business metrics. Automated cyber risk quantification (CRQ) enables enterprises to quickly model changes in their security posture to understand the financial and operational impact of a cyber incident. ‘What-if’ analysis allows business leaders to answer the tough questions using real-world analysis to show the cyber risks associated with:
The addition of new entities (either through merger and acquisition or other activity) would do to the business
The increased financial risk associated with rolling out applications without adequate protections
Financial risk that granting a security waiver (or exception) to an application does to the business
Automated outputs are generated in just hours for reporting that is more current and relevant. By automating risk modelling, businesses get a fast start and can then critique, or tune models over time, instead of having to create their own.
Armed with metrics like business interruption, reputational damage, and legal fines, security leaders can better communicate and justify their security initiatives. Attaching a financial impact to potential threats can help your various stakeholders see what deserves priority, estimate the net financial loss if an attack is successful, ascertain whether the organisation has proper controls in place, and determine whether future technology investments are necessary.
The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of our individual businesses an urgent priority. But when business networks and systems can be compromised in a way that disrupts or halts industrial operations, that points to a clear failure to identify, understand, prioritise and remediate the most critical cyber risks facing one’s organisation.
Bridging the gap between cyber security and business, however, remains an aspirational goal for many who struggle to understand where to begin. We cannot allow this situation to continue in the critical infrastructure space. Our critical infrastructures need a risk-informed decision and operational support platform that can help them prioritise and focus on the risks that matter most and can leverage threat intelligence to drive orchestrated response. It is our single best chance of improving cyber security outcomes and protecting our businesses from harm.