Cyber Risk Management

The proliferation of cyber attacks and the persistent threat of data breaches makes having a strong cybersecurity program paramount. This guide will educate you on the origin of these attacks, who the actors are, and provide actionable steps for building a strong cyber security program or strengthening the one you have. 

The Institute of Risk Management defines cyber risk as “any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.” As your digital footprint expands, the increased attack surface for cyber breaches makes organizations more vulnerable. Disruptive business models, and accelerated adoption of new technologies like mobility and cloud, unveil new threats daily. Today’s organizations cannot afford to make security an afterthought. 

Since the late 80s, digital systems have been vulnerable to attacks from internet pirates trying to steal information and gain unauthorized access. The Morris Worm was the first widespread denial-of-service (DoS) attack in 1989, affecting 6,000 computers and costing anywhere from $100,000 to $10,000,000 worth of damage. That attack set the stage for much larger attacks that today threaten millions of systems with a heftier price tag (consider the 2013 cyberattack on Target retail stores that impacted 40 million credit cards).

Early on, Computer Emergency Response Teams (CERTs) would be deployed to respond to any cyberattacks. These tactical teams would repair damage when an incident occurred but didn’t have the tools for preventing future attacks. Enter antivirus software. This became the gold-standard for cybersecurity and was often used as the primary means of warding off a future attack. Antivirus software served organizations well until the second part of the 21st century. That's when the world began to see an uptick in the scale and severity of cyber attacks. Two of the most recent and notorious security breaches, WannaCry and Eternal Blue, left stalwarts like the National Security Agency reeling. But now rather than looking for the next silver bullet, organizations realize they need an arsenal of cybersecurity tactics and a security team that works to stay one step ahead of the bad guys.

We use the term “threat actor” to define the person or group who are behind cyber crime – either orchestrating it or causing it. Based on our latest Data Breach Investigations Report, these are the threat actors causing a majority of the breaches:

Organized Crime: Cybercriminals are largely driven by financial gain. They might seek personally identifiable information (PII) of your customers or employees, such as social security numbers, health records, credit cards, and banking information. Or, they look to hijack and ransom critical resources.

State-affiliated actors: These groups are typically motivated by political, economic, technical, or military agendas. They seek information to exploit it for espionage purposes. State-affiliated actors account for 79 percent of all breaches involving external actors.

Activists: These attackers have a political agenda and seek to spread propaganda or generate awareness for a cause. This type of actor has been on the decline over the past few years.

Insiders: These types of attackers are those with insider access to organizational data. Misuse by current employees is often the cause. But these can also include former employees and partners looking for revenge or financial gain.

Internal Users: Breaches can be caused by errors or mismanagement of data by well-intentioned employees. This may be due to network issues, poor data management protocols, or by providing privileges to those who should not have them. 

As cybersecurity has become a top priority for organizations, standardized risk management processes and protocols have emerged. These include information security and operational risk models, such as FAIR, ISO, COSO and NIST. 

COSO defines enterprise risk management as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Out of these models three key pillars have emerged, serving as starting points for achieving operational resilience and mitigating cyber risk:

1. Governance Structure –Risk management should have a top-down approach. Consider establishing a risk committee that stays in regular contact with C-Suite leaders. This committee can establish a sound cyber risk management protocol and ensure the entire organization adheres to it.

2. Risk Appetite – An organization must decide how much risk it can tolerate. After all, some level of risk is unavoidable as a part of doing business in the modern age. By defining your risk appetite, you empower employees at all levels of the organization to raise the alarm whenever they perceive potential vulnerabilities.

3. Policy and Procedure – Your risk management plan should integrate naturally into your work culture. Incorporate risk management policies at every level of the organization. Employees should have a baseline understanding of risk concepts and know how to put them into action from day one. Conduct an inventory of every data-driven asset you have and develop policies around each one that address vulnerabilities and mitigate risk.

Failure to maintain a sound cyber risk management practice has significant consequences. Organizations face the risk of a breach of assets, as well as incidents that threaten the integrity of the business. But beyond that, you may also experience a loss of customers and incur administrative fines or even civil litigation. Companies doing business within the EU must also abide by the Global Data Protection Regulation (GDPR) data management and privacy standards. The penalty for noncompliance with GDPR (and so many other ever-emerging regulations) is significant.

If you are realizing your need for a more robust cybersecurity strategy, now’s the time to act! Start by asking yourself the following questions:

• What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
• How is our executive leadership informed about cyber risks to our company?
• How does our cybersecurity program apply industry standards and best practices?
• How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
• How comprehensive is our cyber incident response plan? How often is the plan tested?
• Do we have a strong password policy? Do we enforce this policy across the organization?
• Where does our data live? This includes servers and workstations, mobile devices, thumb drives, backup systems and cloud locations.
• What do we do with physical files and draft documents that contain personally identifiable information?
• Do we encrypt any backup media that leaves the office and also validate that the backup is complete and usable?
• Have we educated employees about good security practices? This includes cybersecurity attack methods such as phishing and pharming, and ransomware and social media threats. Has our staff received email security threat training?
• If there is a breach, do we have a response plan in place? Do we have cybersecurity insurance in the case of a breach incident?

Answering these questions is just the first step toward developing the robust cybersecurity protocol your organization needs. Our Cyber Risk Monitoring conducts a personalized analysis of your organization’s risk posture and provides steps for remediation. We combine the world-class capabilities of leading security organizations with Verizon’s own unique intelligence, giving you an in-depth view of your security landscape.

Verizon has helped some of the largest and most complex organizations in the United States keep a lockdown on their security. Learn how Verizon helped the U.S. military strengthen their cyber risk defense.