“Cybersecurity attacks extend beyond data destruction and damage and encompass loss of money, loss in productivity, harm to the organization's reputation, and theft of the organization's intellectual property.”
Cyber risks account for one of the fastest-growing business risks and organizational priorities in the current world. The 2019 Global Risk Perception survey indicated that cybersecurity risks ranked among the top five priorities by more than 70% of worldwide organizations. The growth of cybersecurity threats is linked to the ever-increasing reliance on technology as the value driver in any given organization. David Rubio, the National Head of Cybersecurity Consulting and Service at Aon Spain, sat down with us to discuss cybersecurity.
When setting up a new business, you are likely to rely on various IT aspects, including smart devices, cloud-based systems, and personal computers. All your IT aspects hold important business data such as employee information, customer data, and detailed product designs, which requires a lot of protection.
The increase in the reliance on networks, social media, computers, data, and programs worldwide has made organizations more vulnerable to cyberattacks. Regardless of the size of your business, any information held in your IT aspects becomes of interest to cybercriminals.
Cybersecurity is the business practice aimed at protecting an organization's networks, data, computers, and IT systems from attacks. The practices rely on various processes, technologies, and controls to reduce the risks of attacks and protect the organization from exploiting its systems by unauthorized personnel.
The best cybersecurity practices involve adherence to the best cybersecurity management practices, setting up proper controls and implementing standard cybersecurity measures.
According to Rubio, cybersecurity is ranked as one of the major concerns of modern businesses as more business operations are carried out digitally. The vulnerability of a business's data, systems, and processes to cybersecurity attacks continues to increase. Cybersecurity risk is also referred to as cyber risk. Cybersecurity risks are defined as the potential exposure to harm or loss arising from the use of technology, information or communication systems, technical infrastructure, or an organization's reputation.
Internet of Things (IoT), per Rubio, poses the weakest link to cybersecurity as it uses sensors when sharing data. It has brought about the massification in use and proliferation of new technological and innovative devices. As data is exchanged between these devices that have not been proved to be well designed, threats of cyberattacks are high.
Cybersecurity attacks extend beyond data destruction and damage and encompass loss of money, loss in productivity, harm to the organization's reputation, and theft of the organization's intellectual property.
Cybercriminals launch cyberattacks due to various reasons, including:
Cybercriminals use various methods to launch cybersecurity attacks on your organizations. The most common practices used to compromise your organization's systems include:
Some common examples of cybersecurity issues that a business may be exposed to in the line of their operations include:
There are two major types of cyberattacks: those from internal risks and those from external risks. Internal risks arise from within the organization and stem from actions by employees in the organization. Internal risks can also be presented by business contractors, suppliers, partners, and a client's access to critical business assets. Internal risks can either be malicious or unintentional; examples of malicious internal risks are when a disgruntled employee is involved in data theft or sabotaging the organization's systems. An organization's insider accesses critical information or systems with malicious motives.
Examples of unintentional internal risks are when an employee forgets to install a security patch on outdated software or misplaces information accidentally.
According to Rubio, "Many times the lack of awareness in these terms, in terms of everything that could happen, which can be the result of a simple email that an employee receives, could cause one of the most important gaps. Because without knowing it, the employee may be opening the corporate door to this risk."
External cyber risks, just like internal risks, can either be malicious or unintentional. They arise from external parties such as an amateur hacker, professional hackers, criminal groups, and the organization's stakeholders. Examples of malicious external risks include installation of a virus, denial-of-service attack, data breach, etc. Unintentional external risks arise from your organization's partners or third parties related to your business. When a vendor experiences a system outage that disrupts your organization's operations, it is termed an unintentional external cyberattack.
Cybersecurity attacks result in significant damages to the business. The risks brought about by a cybersecurity attack cut across the entire firm. The impacts of cyber risks can either be qualitative or quantitative. To understand the damage that a cyberattack can accrue to your business, the impacts are divided into financial, legal, and reputational impacts.
The economic cost of a cyberattack is measured in terms of the substantial financial accrued to your organization. The financial loss results from:
In addition, a business will incur costs in repairing affected business devices, networks, and systems after an attack, hence the additional financial loss.
According to Data Protection and Privacy Laws, the law requires every organization to manage the security of all personal data held in your company. Personal data could either be employees' or customers' details. If a cybersecurity breach by any of the information security threats results in an accidental or deliberate compromising of personal data due to failure to deploy appropriate measures, it may result in your organization facing regulatory sanctions or monetary penalties.
Rubio notes that "The problem is not complying with it [the law]. The problem is ensuring that you cover the entire scope of that law."
One of the essential elements of an organization's customer relations is trust. A successful cyber risk attack results in a business's damaged reputation and eroded customer trust. As a result, the business is likely to suffer from loss of business, loss of its customers, devalued business brand, reduced sales, and decreased profits. Your reputational damage goes beyond your customers and encompasses your business suppliers, investors, partners, and any other third party involved with your organization.
The impacts of a cybersecurity breach can be devastating to a small business and an established resilient organization. After a security breach, the most important thing is your organization's ability to manage and maintain the risks arising accordingly. After an attack, the organization needs to roll out an effective cybersecurity incident response plan to assist in:
Below are key steps that an organization can take when implementing a cyber risk management strategy:
To understand your organization's risk profile, you must carry out a thorough threat assessment that helps you uncover any potential exposure to information security threats. First, identify systems, processes, databases, and applications subject to cyber risk attacks. All stakeholders must then come together to assess the likelihood and the potential impacts that could be brought about by exposure to cyber risks. Finally, quantify the risks by calculating the possible financial, reputational, legal, and operational consequences of cyber risk.
A strategy covering the entire firm entails prioritizing risks by employing a risk measurement framework and reporting system shared across all departments. Also, you must consider incorporating any specific legal requirements and industry-specific cyber risk standards in your organization's cybersecurity issues management practices.
The risk management strategy incorporated in your organization is an organizational priority rather than an IT priority; hence, it must be communicated in the entire organization as exposure to a cyberattack can occur in any department or division.
Investing in infrastructure for cyber risk and cyberattacks management:
First, access your organization's system requirements and establish points where cybersecurity threats are likely to occur before investing in cyber risk management tools. The tools chosen must be easy to use, flexible and consider the capability of future business expansion.
Develop a robust oversight by maintaining an inventory of potential cyber threats and a dynamic quantified potential impact and regularly updated mitigation cost. You must ensure that the third parties' cybersecurity protocols align with your organization's practices and standards.
Finally, invest in training your staff and stakeholders about the rapidly evolving technologies and cyber security risks as cyber risk management is ever-changing.
David Rubio Lopez, Cyber Consulting Practice Leader at Aon.
David Rubio Lopez
David Rubio Lopez explains some cybersecurity issues and ways to minimize and manage threats arising from cybersecurity attacks.