Cyber-risk: What IROs need to know
Technological advances and an increasing readiness to embrace the digital age mean it’s more important than ever for companies to safeguard their vital data. We hear from Ian Benson, cyber-security partner at PwC, who gives us an insight into what IROs need to know.
What exactly is the definition of cyber-risk?
For organizations, cyber-risk is all about protecting the information and services required to conduct business as usual from threats against its confidentiality, integrity or availability. These threats can originate both internally and externally and can be accidental, such as an employee leaving an unsecured laptop on the train, adversarial – by the hand of a malicious threat actor – or environmental, such as the flooding of a data center.
What’s the current cyber-risk landscape? Is it an increasing threat to companies?
The cyber-threat landscape has radically shifted over the past year alone. Organizations are becoming more interconnected and dependent upon third parties, elevating the risk of cyber-attacks having a systemic impact on traditional national and industry boundaries. This was seen with the global NotPetya ransomware attack last summer where a third-party software application was the initial entry point for the malware.
Novel and automated attack tools and techniques have swung the scales against companies looking to protect their data and highlighted the importance of the ‘hard basics’ such as prioritizing and patching vulnerabilities. Recent vulnerabilities identified in underlying computer systems have also shown that even hardware we depend upon can’t always be trusted to be secure by design.
Advanced attackers have turned cyber-crime into nine-to-five operations, with formal employment models. Proven attack methods from well-funded and motivated threat actors have seen them move toward lower-volume, high-value attacks. Less-advanced actors have sought to emulate these proven techniques and methods. Recent examples of this include multiple attacks on the SWIFT infrastructure of financial services organizations across the world, and the Cloud Hopper attack that PwC was involved in uncovering. This saw a number of managed IT service providers compromised, potentially impacting the intellectual property of hundreds of organizations.
For less-advanced attackers, the barrier to entry has lowered, and even those with limited technical know-how have the means to launch a potentially damaging cyber-attack. Organized crime groups now provide ransomware and DDoS [distributed denial of service] as a service. These often come with a warranty, offering purchasers success or their money back.
Why is it so important for IROs to consider the topic in their risk-management conversations?
Cyber-risk represents a material threat to all businesses, regardless of their size and scale. The cost of a cyber-breach can be difficult to calculate, from the tangible costs arising from incident response and recovery, to intangible costs such as reputational and share price damage. There is also increasing regulatory interest and the new General Data Protection Regulation, which means businesses could face significant fines.
The intangibility of cyber-risk poses challenges to organizations looking to quantify the cyber-threat. But embedding cyber-risk in wider operational risk strategy is integral to representing it in executive and board conversations as an investment, rather than as a cost. A business and its senior leadership should be looking to understand, own and allocate a value to its cyber-risk.
What are the main factors that should be included in risk-management strategies?
Cyber-incidents should be considered a ‘when’ and not an ‘if’ by organizations. Their risk appetite should be realistic in anticipating this and based on a clear understanding of their critical assets and dependencies. An appropriate risk strategy should then be implemented, with cyber-risk embedded across all areas of operational risk, and supported through controls spanning organizational culture, process and technologies. It’s also important for organizations to identify clear reporting metrics to help the business visualize whether its risk is within appetite.