Risk in both the business world and the cyber world are now indistinguishable. The ability to decouple financial risk and legal liability from IT security risk is expanding for businesses. That means the company’s chief security officer should be on speed dial for the risk management officer.
The concept of cyber risk to a company is not novel. In the realm of cybersecurity, for instance, compliance has been an established fact for quite some time. However, developments related to a new post-pandemic reality for employees and businesses will hasten the blending of cyber and business risks this year.
These developments include the quickening pace of globalisation, the increased reliance on supply chains, the emergence of new adversarial tactics and geopolitical targets, the growing reliance on cloud services, the deepening recession, and the sluggish return of workers to the office. The convergence of these factors has prompted businesses to expand their thinking about risk exposure, assessment, mitigation, and monitoring.
On the other hand, as regulators crack down harder on businesses they believe are being negligent in their response to data breaches, chief security officers and risk managers are taking a new look at their organisations’ cybersecurity liabilities. Some breaches have even resulted in criminal charges being brought against the CSO.
Regulation bodies and class action lawyers have been alerted to dozens more examples of breaches in 2022. Companies that fail to adequately protect their customers’ personal information and suffer a data breach as a result are likely to face financial penalties, as was the case last year.
It could be argued that each of these companies incorrectly estimated or failed to identify risk in their attack surface prior to the attack, and that they similarly misjudged risks associated with post-attack “what-if” scenarios.
Compliance, architecture, and post-breach scenarios are all important parts of cyber defence. There must be more to their day than that. They should also be concerned with avoiding the need to respond to a cyberattack in the first place. This necessitates placing a greater “attacker’s perspective” on the task of locating and fixing security holes in the external attack surface.
It’s just not in any company’s interest to have their security compromised. However, security breaches are a risk that every business faces as part of their everyday operations. The potential loss can be measured monetarily. According to a data breach report by the Ponemon Institute, the average cost of a data breach in the United States in 2022 was $9.4 million.
Despite the end of the pandemic, life will never be the same again.
Challenges await businesses in the coming year as workers return to the workplace in fits and starts in the wake of the pandemic. That, plus the fact that we are now well into what is being called the Great Reset of 2023 after the Great Resignation of 2022. Changing macroeconomic conditions have led to a trend of companies tightening their belts.
IT operations teams will be forced to reorganise their IT infrastructure in response to underlying conditions. Upgrades and replacements will remain a constant part of an organization’s infrastructure. They are abandoning any hastily constructed solutions in response to the pandemic. Businesses will instead focus on developing systems that are more long-lasting, less expensive, and simpler to administer.
There is danger in that transformation. Over the course of the next year, security teams will need to juggle the maintenance of an ageing platform with the launch of a brand new one as a result of internal IT restructuring. When it comes to managing this switch, there is a lot at stake because even a minor configuration error or forgotten asset can leave gaps in a company’s external attack surface and risk profile.
The term “third-party cybersecurity risk” refers to the potential dangers posed by an organization’s reliance on outside parties such as IT service providers, cloud providers, and software as a service (SaaS) providers. Third-party risk, including that posed by upstream and downstream vendors working with a company’s partners and subsidiaries, should also be taken into account.
There is a new risk landscape due to external factors.
Alejandro Mayorkas, the current Secretary of Homeland Security, claims that globalisation has made the world a more dangerous place. In a December speech, Mayorkas warned that the United States faces a “new kind of warfare,” one that does not distinguish between private and public organisations.
“Economic and political instability, and our globalised economy, have erased borders and are increasingly bringing threats and challenges directly into our communities,” Mayorkas said. “This includes our schools, hospitals, small businesses, local governments, and critical infrastructure.”
New federal and private regulations concerning risk identification, risk assessment, risk mitigation, and risk monitoring have been implemented in response to this riskier geopolitical pressure.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01 last year, requiring federal agencies to map out their attack surface assets and enhance their vulnerability detection and remediation capabilities by April 3, 2023.
However, it goes far beyond that and instead requires weekly automated asset discovery (within the entire IPv4 space of the organisation). Every 14 days, government organisations must conduct a vulnerability assessment on all of their endpoints, as well as their network and mobile devices.
Recent updates to SOX, HIPAA, HITRUST, PCI, and CIS guidelines address the most recent healthcare-related cyberthreats that keep security teams on their toes.
While compliance is important, it’s not enough.
This year’s emphasis
According to a PwC survey of CEOs from 2022, the threats that are keeping them up at night are the ones that will have a “material impact” on their businesses in the coming year. CEOs told PwC that they are most worried about cyber risks in the next 12 months.
“CEOs are most worried about the potential for a cyberattack or macroeconomic shock to undermine the achievement of their company’s financial goals—the same goals that most executive compensation packages are still tied to,” PwC found.
That focus on critical business activities has become a priority that begs the questions: What’s will attackers target, and why? What loopholes could be used by an invader? And how will it affect the company’s ability to function normally?
Good digital stewardship, business leadership, and financial stability are at the heart of bringing C-suite executives into the cybersecurity conversation.