Cyber risks account for one of the fastest-growing business risks and organizational priorities in the current world. The 2019 Global Risk Perception survey indicated that cybersecurity risks ranked among the top five priorities by more than 70% of worldwide organizations. The growth of cybersecurity threats is linked to the ever-increasing reliance on technology as the value driver in any given organization. David Rubio, the National Head of Cybersecurity Consulting and Service at Aon Spain, sat down with us to discuss cybersecurity.
What Is the Relationship Between Technological Advancement and Cybersecurity Issues?
When setting up a new business, you are likely to rely on various IT aspects, including smart devices, cloud-based systems, and personal computers. All your IT aspects hold important business data such as employee information, customer data, and detailed product designs, which requires a lot of protection.
The increase in the reliance on networks, social media, computers, data, and programs worldwide has made organizations more vulnerable to cyberattacks. Regardless of the size of your business, any information held in your IT aspects becomes of interest to cybercriminals.
How Should You Secure Your Organization From Cybersecurity Threats?
Cybersecurity is the business practice aimed at protecting an organization's networks, data, computers, and IT systems from attacks. The practices rely on various processes, technologies, and controls to reduce the risks of attacks and protect the organization from exploiting its systems by unauthorized personnel.
The best cybersecurity practices involve adherence to the best cybersecurity management practices, setting up proper controls and implementing standard cybersecurity measures.
What Is the Relationship Between Cybersecurity Risks and Internet of Things?
According to Rubio, cybersecurity is ranked as one of the major concerns of modern businesses as more business operations are carried out digitally. The vulnerability of a business's data, systems, and processes to cybersecurity attacks continues to increase. Cybersecurity risk is also referred to as cyber risk. Cybersecurity risks are defined as the potential exposure to harm or loss arising from the use of technology, information or communication systems, technical infrastructure, or an organization's reputation.
Internet of Things (IoT), per Rubio, poses the weakest link to cybersecurity as it uses sensors when sharing data. It has brought about the massification in use and proliferation of new technological and innovative devices. As data is exchanged between these devices that have not been proved to be well designed, threats of cyberattacks are high.
What Vulnerabilities Do Cybersecurity Risks Pose to an Organization?
Cybersecurity attacks extend beyond data destruction and damage and encompass loss of money, loss in productivity, harm to the organization's reputation, and theft of the organization's intellectual property.
Cybercriminals launch cyberattacks due to various reasons, including:
- To steal money from the organization
- To disrupt business operations in your organization
- To weaken the integrity or reputation of your organization, brand, or product
- To gain access to a business’s sensitive or financial data
- Espionage, that is, spying by business competitors to gain an unfair advantage
- Intellectual challenge as in the case of white hat hacking
- To make a political or social point as in activism
Cybercriminals use various methods to launch cybersecurity attacks on your organizations. The most common practices used to compromise your organization's systems include:
- Access to organization's information held on corporate networks or systems by unauthorized personnel
- Access to organization's data held in third-party systems such as hosted services by unauthorized personnel
- Remote attacks on an organization’s data, website, network, or systems
- Denial or disruption of service limiting your access to your systems, data, or network
Some common examples of cybersecurity issues that a business may be exposed to in the line of their operations include:
- Password decryption
- Ransomware attacks
- Malware attacks such as rootkits, viruses, Trojans, spyware, and worms
- Drive-by downloads
- Hacking, which includes keylogging, Distributed Denial-of-Service (DDoS), etc.
- Cyber frauds, which include whaling, spear phishing, phishing, and vishing
- Human error such as loss of paperwork, failure to redact personal data, or to send off information to a wrong recipient
What Chances Are There That Different Types of Cyberattacks Arise From Insiders?
There are two major types of cyberattacks: those from internal risks and those from external risks. Internal risks arise from within the organization and stem from actions by employees in the organization. Internal risks can also be presented by business contractors, suppliers, partners, and a client's access to critical business assets. Internal risks can either be malicious or unintentional; examples of malicious internal risks are when a disgruntled employee is involved in data theft or sabotaging the organization's systems. An organization's insider accesses critical information or systems with malicious motives.
Examples of unintentional internal risks are when an employee forgets to install a security patch on outdated software or misplaces information accidentally.
According to Rubio, "Many times the lack of awareness in these terms, in terms of everything that could happen, which can be the result of a simple email that an employee receives, could cause one of the most important gaps. Because without knowing it, the employee may be opening the corporate door to this risk."
What Chances Are There That Cyberattacks Arise From Outsiders?
External cyber risks, just like internal risks, can either be malicious or unintentional. They arise from external parties such as an amateur hacker, professional hackers, criminal groups, and the organization's stakeholders. Examples of malicious external risks include installation of a virus, denial-of-service attack, data breach, etc. Unintentional external risks arise from your organization's partners or third parties related to your business. When a vendor experiences a system outage that disrupts your organization's operations, it is termed an unintentional external cyberattack.
Are the Impacts of Cybersecurity Threats a Business Risk or a Mere System Risk?
Cybersecurity attacks result in significant damages to the business. The risks brought about by a cybersecurity attack cut across the entire firm. The impacts of cyber risks can either be qualitative or quantitative. To understand the damage that a cyberattack can accrue to your business, the impacts are divided into financial, legal, and reputational impacts.
The economic cost of a cyberattack is measured in terms of the substantial financial accrued to your organization. The financial loss results from:
- Theft of money
- Theft of business's financial information such as bank and payment card details
- Theft of the organization’s corporate information
- Disruption to transacting
- Loss of contract or business
In addition, a business will incur costs in repairing affected business devices, networks, and systems after an attack, hence the additional financial loss.
According to Data Protection and Privacy Laws, the law requires every organization to manage the security of all personal data held in your company. Personal data could either be employees' or customers' details. If a cybersecurity breach by any of the information security threats results in an accidental or deliberate compromising of personal data due to failure to deploy appropriate measures, it may result in your organization facing regulatory sanctions or monetary penalties.
Rubio notes that "The problem is not complying with it [the law]. The problem is ensuring that you cover the entire scope of that law."
One of the essential elements of an organization's customer relations is trust. A successful cyber risk attack results in a business's damaged reputation and eroded customer trust. As a result, the business is likely to suffer from loss of business, loss of its customers, devalued business brand, reduced sales, and decreased profits. Your reputational damage goes beyond your customers and encompasses your business suppliers, investors, partners, and any other third party involved with your organization.
How Can You Minimize the Impact of Cybersecurity Threats?
The impacts of a cybersecurity breach can be devastating to a small business and an established resilient organization. After a security breach, the most important thing is your organization's ability to manage and maintain the risks arising accordingly. After an attack, the organization needs to roll out an effective cybersecurity incident response plan to assist in:
- Reducing the impact arising from the cybersecurity attack
- Reporting the incident to the relevant authorities
- Cleaning up of the affected systems in your organization
- Assisting in getting your business up and back to operation within the shortest time possible
Below are key steps that an organization can take when implementing a cyber risk management strategy:
Understanding your organization’s risk profile
To understand your organization's risk profile, you must carry out a thorough threat assessment that helps you uncover any potential exposure to information security threats. First, identify systems, processes, databases, and applications subject to cyber risk attacks. All stakeholders must then come together to assess the likelihood and the potential impacts that could be brought about by exposure to cyber risks. Finally, quantify the risks by calculating the possible financial, reputational, legal, and operational consequences of cyber risk.
Establishing a strategic cybersecurity issues management covering the entire organization
A strategy covering the entire firm entails prioritizing risks by employing a risk measurement framework and reporting system shared across all departments. Also, you must consider incorporating any specific legal requirements and industry-specific cyber risk standards in your organization's cybersecurity issues management practices.
The risk management strategy incorporated in your organization is an organizational priority rather than an IT priority; hence, it must be communicated in the entire organization as exposure to a cyberattack can occur in any department or division.
Investing in infrastructure for cyber risk and cyberattacks management:
First, access your organization's system requirements and establish points where cybersecurity threats are likely to occur before investing in cyber risk management tools. The tools chosen must be easy to use, flexible and consider the capability of future business expansion.
Establishing a dynamic cyber risk management process as an organization
Develop a robust oversight by maintaining an inventory of potential cyber threats and a dynamic quantified potential impact and regularly updated mitigation cost. You must ensure that the third parties' cybersecurity protocols align with your organization's practices and standards.
Finally, invest in training your staff and stakeholders about the rapidly evolving technologies and cyber security risks as cyber risk management is ever-changing.
David Rubio Lopez, Cyber Consulting Practice Leader at Aon.