As a leader of a cybersecurity company, I have first-hand experience of the degree to which enterprises have been targeted by cyberattacks. We’ve all seen recurrent headlines about ransomware; but enterprises are also facing distributed denial of service (DDoS) attacks, supply chain breaches, and phishing attacks, among others.
According to a recent Forrester report, last year saw 1 billion records exposed in the top 35 breaches; $2.6 billion stolen in the top nine cryptocurrency breaches; and $2.7 billion in fines levied to the top 35 violators. Here are just a few examples:
- Lapsus$ claimed to have stolen 1 terabyte of crucial data from semiconductor chip company Nvidia. They demanded a $1 million ransom and made additional demands.
- Google stifled a DDoS attack on a Google Cloud Armor customer, comparing it to “receiving all the daily requests to Wikipedia (one of the top-trafficked websites) in just 10 seconds.”
- Company shares plunged when authentication company Okta announced that records of around 2.5% of its customer base were exposed in a supply chain attack.
- A new high was recorded for phishing, with more than 1,270,00 attacks recorded in the third quarter of 2022 alone, according to the Anti-Phishing Working Group.
The Cost of a Data Breach
The average cost of a data breach reached $4.35 million in 2022, according to IBM’s Cost of a Data Breach Report 2022, which represents a 2.6% increase from 2021, and a 12.7% increase from 2020.
For ransomware, costs are different: The average payment in 2021 was approximately $1.85 million — more than double the $760,000 figure from 2020, per a SpyCloud report.
And these are just direct costs; indirect costs are greater. They include:
- Lost business, due to business disruption and revenue losses
- Lost customers, and the cost of acquiring new ones
- Reputation losses, and diminished goodwill
Regulatory fines and legal proceedings, when attacks lead to class-action lawsuits
Cyber Threats Are Growing
Rising geopolitical tensions, particularly around the Russia-Ukraine conflict and U.S.-China relations, created a knock-on effect in which state-sponsored cyber warfare is impacting the private sector. Bottom line: Enterprises often become collateral damage.
The threat of cyberattacks — and potential impact on corporate balance sheets — is only expected to grow. Technological advances in areas such as generative AI and automation have strengthened threat actors, leading to new and evolving threats.
Against this backdrop, it becomes increasingly crucial for corporate boards to align their organizations’ cyber-risk management with their business needs.
Cybersecurity as a Key Business Risk
Cyberattacks are, first and foremost, a risk to a business’ integrity. They can damage the most fundamental components of a business, from the integrity of customer data to IT infrastructure, all while impacting the company’s intellectual property, reputation, valuation, and even the morale of staff.
How should board directors and senior leaders be managing this type of business risk? Knowledge brings power, and the more corporate leadership knows about the impact of cyber risk on the business, the better it can provide effective leadership.
Cyber-Risk Balance Sheets Can Provide Insight
According to the World Economic Forum’s report, Principles for Board Governance of Cyber Risk, 37% of organizations strongly agree that quantifying risk leads to better management of cyber risks. But what’s the best way to quantify risks?
- A cyber-risk balance sheet is one way of mapping the potential financial impact of cyber events. Creating a balance sheet involves: Standardization: Selecting a cyber risk quantification framework, for example, by leveraging Factor Analysis of Information Risk (FAIR), an international standard quantitative model framework providing operational risk and information security
- Prioritization: Defining an organization’s top cyber threats and quantifying the likelihood of these threats
- Mapping: Connecting the probability of cyber threats to cyber risks in financial terms and associating them with future cyber investments
This creates a ledger that can be used by chief information security officers (CISOs) to describe the business case for cybersecurity efforts that show a positive return on investment.
How Corporate Boards Should Manage Cyber Risk
Principles for Board Governance of Cyber Risk introduces six principles for boards to begin with:
- Understand that cybersecurity is a strategic business enabler: Enterprises should analyze cybersecurity in the context of strategic implications, as part of enterprise risk.
- Understand the economic drivers and impacts of cyber risk: Enterprises should define cyber-risk appetite in financial terms to help inform decision-making.
- Align cyber-risk management with business needs: Management should integrate cyber-risk analysis into business decisions.
- Ensure organizational design supports cybersecurity: Management should ensure the cybersecurity function is represented adequately.
Incorporate cybersecurity expertise into board governance: Regular sessions between management and the board should provide updates on incidents, trends, and vulnerabilities. - Encourage systemic resilience: Board should ensure that management has plans to improve resilience through collaboration with the public sector.
Finding the Right Balance – From a Business Perspective
Boards need an in-depth understanding of top risks facing the enterprise and should be able to quantify their potential impact. Decisions about cost investments can then be weighed against the potential cost of not taking action.
By aligning cyber-risk management with business needs, organizations can build a security profile that aligns with the defined risk appetite. This process requires encouraging collaboration between the CISO, the chief technology officer, and chief information officer functions, all of whom should be involved in analyzing each cyber scenario.
Through this approach, the board can ask to see real risk reduction. In parallel, security leaders can create allies within business units by helping them reduce the risk of business impact.
Mapping Out the “Crown Jewels”
The first step in cyber-risk management involves prioritizing where to home in. Organizations can leverage an industry framework like the MITRE ATT&CK to provide insight into blind spots through consolidated threat visibility. MITRE provides a foundation for security operations teams to develop and map out a framework for detection rules, which are specific to the unique threats and vulnerabilities of an organization.
Frameworks like MITRE make it possible to improve threat coverage and response by looking at parameters like industry, geolocation, and leadership. With MITRE, organizations can identify which threats, as well as which aspects of the technology landscape, are most likely to lead to damage. By using MITRE to map out key business assets, a customized plan for reducing business risk can be developed.
Lowering Costs
Given the impact of the macroeconomic downturn, the biggest question many senior executives are facing is how to maintain effective cybersecurity with more limited resources. That’s where automation and artificial intelligence (AI) come in, as they have the potential to lower the expense of mitigating risk.
According to IBM’s 2022 Cost of a Data Breach, organizations deploying AI and automation incurred $3 million less, on average, in breach costs. AI was their biggest cost saver; those deploying AI and automation detected breaches faster, minimizing the impact on operations. Another strategy for cutting costs involves advanced cloud solutions that save dramatically on data ingestion and storage costs.
Start by Getting the Right Talent
To pull all of this off, organizations need to have the right talent in place. But that’s easier said than done. To put it simply: There are more cybersecurity jobs than the number of available professionals. According to the (ISC)2, the cybersecurity workforce grew to 4.7 million people in 2022, the highest number of workers ever recorded. Yet more than 3.4 million positions still remained open. This is a stark situation.
Managed Detection and Response (MDR) can address the lack of available talent. MDR providers are outsourced services that can provide organizations with advanced security operations capabilities and work collaboratively with those organizations to remediate threats once they are discovered. They offer access to top professionals who provide input regarding roadmap-related decisions, and who can handle existing, new, and evolving threats. Enterprises find that an advanced MDR service provider makes it possible to do more with less — maintaining scalability while keeping head count down.
In the current climate, MDR providers are increasingly relevant. It’s not just about resources and how to use them, but also about how to build a roadmap moving forward. Shifting focus to evaluate cybersecurity as a business risk — while investing efforts specifically on the threats that pose the greatest danger — can help ensure that an enterprise is poised to detect and respond quickly enough to protect the organization’s key assets. And that’s the real goal.
With the ever-growing threat of cyber attack, business leaders should be thinking about cybersecurity as a strategic business enabler. By illustrating the business case for cybersecurity — aligning cyber-risk management with an organization’s business objectives — it becomes possible to make current and future decisions about the organization’s cyber health in terms that the board can understand.