One of the most important words that is being thrown around
today in the world of Cybersecurity is that of Risk. To many people and businesses, it can have
many different definitions. To some, it
may mean how much “pain” and downtime you can suffer before the real financial losses
start to hit in.
For some, it may mean just how prone your digital assets are
to a security breach, despite all of the existing controls that you have in
place.
But no matter how you look at it or even define it, the bottom
line is that Cyber Risk is real, and it needs to be taken in to every decision making
process. It is a term that nobody really
wants to discuss, and to a certain degree, I can understand that.
Calculating Risk shows how much money your company could
lose in the end (no matter how many precautions you take, you will always be
prone to some level of Risk).
But, there is yet another variable that is often forgotten
about when calculating the level of Cyber Risk that your company is exposed
to. And that is, just how damaging a
security breach can be to a particular digital asset.
For example, you may calculate that digital asset A has a likelihood
of a an “8” of being impacted (this is assuming that you are using a categorization
scale of 1-10, with 10 being worst).
Of course, once you confirmed this number, you will then
want to deploy all of the controls you can in order to mitigate any changes of
digital asset A from being impacted. But
truth be told, and as I have just mentioned, it can still be hit, and this is
where figuring out the dollar amount of this is what nobody wants to talk
about, because it could have a big impact on the bottom line.
This dollar amount can also be referred to as the “True Cost
of A Data Breach”. So in simple
mathematical terms, the two main ingredients of Cyber Risk are as follows:
Cyber Risk = The Statistical Probability Of An Asset Being Impacted
+ The Dollar Amount of Any Potential Breach
Of course, there are many other variables that need to be included
into the above equation, and a lot is going to be dependent upon how many and
what of digital assets you have and absolutely need protection.
While the main goal is to protect each and every one of
them, the bottom line reality is that it simply cannot be done. Therefore, the focus of your Risk Assessment
has to be about protecting you mission critical ones.
But for the purposes
of this blog, calculating the actual dollar amount includes the following
variables (keep in mind that this is not at all an inclusive list, but must be
considered):
1)
The costs of Compliance:
Whether you like it or not, many
businesses today are subject to some sort of data privacy law wherever they may
conduct financial transactions. The two
most widely known ones are of course the GDPR and the CCPA, and there is also a
plethora of other laws that are about to be passed in different states. These pieces of legislation clearly demand
that you have the right controls, as well as checks and balances in place to
make sure that all of your confidential information and data are protected as
best possible from a security breach. Of
particular attention here are of the PII datasets, of both your customers and employees. Although it may be hard to digest at first
but in your calculations of the dollar amount, you have to calculate the costs
of an audit and any financial penalties that you could potentially owe. Although this will be hard to put an exact
number, the key things is to at least come up with some estimates that you can
use in your calculations. You may never
be the subject of an audit, but one never knows, therefore, this has to be taken
into consideration no matter what.
2)
The costs of Critical Infrastructure:
This can actually be viewed as an
indirect cost, but given the geo political situation that is happening today,
it needs to be taken into serious consideration. Let’s illustrate this with an example. Suppose the city in which you have your
business in is hit with a Critical Infrastructure (CI) attack, and there is no
water for hours or perhaps even days.
There is no doubt that water is absolutely essential to human life, but
for a business it can also be a detriment as well. For instance, it is used to cool down your
data centers, and even heat your brick and mortar office. If there is no water, your business will
obviously experience a serious level of downtime, and this also has to be
factored in. Another CI variable that you
must factor in is electricity. If the power
grid has been hit, of course you will not be able to do any work at all, unless
you have back up generators at hand.
3)
The cost of Human Life:
Although each and every human life
is precious, the bottom line is that you have also have to take into consideration
this if you are hit with a security breach, or even a natural disaster. Suppose there is an earthquake, and you lose some
of your employees? The dollar cost of their
lack of presence and expertise in order to bring your business back up and
running, as gut wrenching as this may sound, also has to be taken into consideration
when you are calculating the financial magnitude of a security breach. In fact, this is a key variable that many insurance
carriers and actuaries when awarding out insurance policies.
Conclusions
As stated earlier, calculating the level of Cyber Risk is
something that has to be taken into consideration very seriously today. It is important to keep in mind that this is
not just restricted to the IT Security team, their CISO, and the C-Suite.
Each and every employee and department in a business will be
impacted by this, because after all, they will be using your digital assets to
some degree or another when then do their daily job functions.
One of the best ways to get started on this long road is to first
conduct a comprehensive Risk Assessment.
This is where you literally take an inventory of all of your digital
assets, and rank them on some sort of categorization scale in terms of their
vulnerabilities of being by a security breach.
Then, you need to calculate, or at least have an estimate of
the financial magnitude of it.
It sounds like a herculean task to accomplish, but keep in
mind that there are Cyber professionals that make their living doing this. Your best bet is to have one of them do it, working
with you directly. There are also other
frameworks you can use out there for the categorization of your digital assets,
most of them are widely available from NIST.
The costs of a data breach is illustrated in the diagram
below:
(SOURCE: https://www.darkreading.com/attacks-breaches/hidden-costs-of-a-data-breach).
In the end, it is quite possible that your company could
avoid these stats by being proactive about Cybersecurity. The time to act is now!!!
No comments:
Post a Comment