Sunday, February 27, 2022

Understanding The Two Variables Of Cyber Risk & How It Impacts You

 


One of the most important words that is being thrown around today in the world of Cybersecurity is that of Risk.  To many people and businesses, it can have many different definitions.  To some, it may mean how much “pain” and downtime you can suffer before the real financial losses start to hit in. 

For some, it may mean just how prone your digital assets are to a security breach, despite all of the existing controls that you have in place. 

But no matter how you look at it or even define it, the bottom line is that Cyber Risk is real, and it needs to be taken in to every decision making process.  It is a term that nobody really wants to discuss, and to a certain degree, I can understand that. 

Calculating Risk shows how much money your company could lose in the end (no matter how many precautions you take, you will always be prone to some level of Risk).

But, there is yet another variable that is often forgotten about when calculating the level of Cyber Risk that your company is exposed to.  And that is, just how damaging a security breach can be to a particular digital asset. 

For example, you may calculate that digital asset A has a likelihood of a an “8” of being impacted (this is assuming that you are using a categorization scale of 1-10, with 10 being worst). 

Of course, once you confirmed this number, you will then want to deploy all of the controls you can in order to mitigate any changes of digital asset A from being impacted.  But truth be told, and as I have just mentioned, it can still be hit, and this is where figuring out the dollar amount of this is what nobody wants to talk about, because it could have a big impact on the bottom line.

This dollar amount can also be referred to as the “True Cost of A Data Breach”.  So in simple mathematical terms, the two main ingredients of Cyber Risk are as follows:

Cyber Risk = The Statistical Probability Of An Asset Being Impacted + The Dollar Amount of Any Potential Breach

Of course, there are many other variables that need to be included into the above equation, and a lot is going to be dependent upon how many and what of digital assets you have and absolutely need protection. 

While the main goal is to protect each and every one of them, the bottom line reality is that it simply cannot be done.  Therefore, the focus of your Risk Assessment has to be about protecting you mission critical ones.

But for  the purposes of this blog, calculating the actual dollar amount includes the following variables (keep in mind that this is not at all an inclusive list, but must be considered):

1)     The costs of Compliance:

Whether you like it or not, many businesses today are subject to some sort of data privacy law wherever they may conduct financial transactions.  The two most widely known ones are of course the GDPR and the CCPA, and there is also a plethora of other laws that are about to be passed in different states.  These pieces of legislation clearly demand that you have the right controls, as well as checks and balances in place to make sure that all of your confidential information and data are protected as best possible from a security breach.  Of particular attention here are of the PII datasets, of both your customers and employees.  Although it may be hard to digest at first but in your calculations of the dollar amount, you have to calculate the costs of an audit and any financial penalties that you could potentially owe.  Although this will be hard to put an exact number, the key things is to at least come up with some estimates that you can use in your calculations.  You may never be the subject of an audit, but one never knows, therefore, this has to be taken into consideration no matter what.

2)     The costs of Critical Infrastructure:

This can actually be viewed as an indirect cost, but given the geo political situation that is happening today, it needs to be taken into serious consideration.  Let’s illustrate this with an example.  Suppose the city in which you have your business in is hit with a Critical Infrastructure (CI) attack, and there is no water for hours or perhaps even days.  There is no doubt that water is absolutely essential to human life, but for a business it can also be a detriment as well.  For instance, it is used to cool down your data centers, and even heat your brick and mortar office.  If there is no water, your business will obviously experience a serious level of downtime, and this also has to be factored in.  Another CI variable that you must factor in is electricity.  If the power grid has been hit, of course you will not be able to do any work at all, unless you have back up generators at hand.

3)     The cost of Human Life:

Although each and every human life is precious, the bottom line is that you have also have to take into consideration this if you are hit with a security breach, or even a natural disaster.  Suppose there is an earthquake, and you lose some of your employees?  The dollar cost of their lack of presence and expertise in order to bring your business back up and running, as gut wrenching as this may sound, also has to be taken into consideration when you are calculating the financial magnitude of a security breach.  In fact, this is a key variable that many insurance carriers and actuaries when awarding out insurance policies.

Conclusions

As stated earlier, calculating the level of Cyber Risk is something that has to be taken into consideration very seriously today.  It is important to keep in mind that this is not just restricted to the IT Security team, their CISO, and the C-Suite. 

Each and every employee and department in a business will be impacted by this, because after all, they will be using your digital assets to some degree or another when then do their daily job functions. 

One of the best ways to get started on this long road is to first conduct a comprehensive Risk Assessment.  This is where you literally take an inventory of all of your digital assets, and rank them on some sort of categorization scale in terms of their vulnerabilities of being by a security breach. 

Then, you need to calculate, or at least have an estimate of the financial magnitude of it.

It sounds like a herculean task to accomplish, but keep in mind that there are Cyber professionals that make their living doing this.  Your best bet is to have one of them do it, working with you directly.  There are also other frameworks you can use out there for the categorization of your digital assets, most of them are widely available from NIST.

The costs of a data breach is illustrated in the diagram below:


(SOURCE:  https://www.darkreading.com/attacks-breaches/hidden-costs-of-a-data-breach).

In the end, it is quite possible that your company could avoid these stats by being proactive about Cybersecurity.  The time to act is now!!!


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...