Cybersecurity Risk Management – Blog Series Part 3
The single biggest threat to cybersecurity – misunderstanding the risks
Common cybersecurity misunderstanding number one – Many businesses think the cybersecurity problem will not affect them because people can’t tell whether their company has implemented a cybersecurity program or not. False. Even internet novices have plenty of tools to determine the security level of a company’s internet presence.
Another common misunderstanding is believing your cyber defenses are good enough without having put in the time and effort to analyze these defenses and matching their effectiveness against their company’s cybersecurity risk tolerance defined in the risk management plan.
Cybersecurity is an all-encompassing risk management issue that needs to be addressed from a strategic, cross-departmental, and economic perspective. A good place to start is to define enterprise risk management as the “overall process of managing an organization’s exposure to uncertainty with a particular emphasis on identifying the events that could potentially prevent the organization from achieving its objectives” (Gordon & Loeb, 2005). Cybersecurity risk management is a portion of the overall enterprise risk management plan. It is the process of managing potentially harmful events due to the lack of effective cybersecurity defenses and cybersecurity resilience.
No matter how well controlled, organizations may still experience major disruptions (e.g., theft of source code or product designs). Cybersecurity resilience represents an organization’s ability to adapt to such disturbances, and even grow in the face of such events.
Placing cyber incident costs in context
A critical question, how much of a problem are cyber events? First, as reported in the Oxford Academic Journal of Cybersecurity research has shown an interesting contradiction. On one hand, aggregate rates of cyber events show a trend – that cyber incidents are more frequent and therefore more expensive (in aggregate) to organizations, especially when personal information is involved in the incident. On the other hand, the actual costs of these events in the reported dataset cost most firms less than $200k, only a fraction of the millions of dollars commonly cited in headline grabing media reports. Here is where Industrial Automation Control Systems do not compare to the general population’s often financially motivated cyber-attacks. These IACS systems are used to drive the world’s critical infrastructure. Impacts to this infrastructure are difficult to measure, and where measures are attempted they amount to staggering sums.
For example – Take the December 2015 Ukraine power grid cyber-attack. The control systems were partitioned from the control center business networks with firewalls between the business and the power operations. Yet the systems were still compromised. The attack is thought to be in retaliation for a physical attack from pro-Ukrainian activists on power substations to annexed Russian territories. In this case, government and electricity supplier reputations apparently suffered more damage than can be measured by a relatively minor power outage of a few hours. A year later another attack, again in Ukraine, possibly to drive home the politically motivated message.
The research shows an increase in the number of cyber incidents. But per-incident costs alone do not reflect the same magnitude of consequence, or urgency of attention. Protecting the world’s critical infrastructures carries a significant responsibility. Quoted from the European Commission – Critical Infrastructure “…is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.”
While the potential for larger harm appears to be growing in time, evidence that financial impacts are lower than expected is a misleading metric resulting in a misunderstanding of the real risks at hand.
Organizations may indeed lack a strong financial incentive to increase their investment in cybersecurity. But the nature of the IACS work we engage in demands a deeper understanding of each organization’s mission. This will result in cybersecurity programs that focus on improving more practical aspects of their cybersecurity risk management programs – prevention, preparedness, and response.
Take the time to understand the true nature of today’s cybersecurity risks. Understand your tolerances to these risks. Have a plan to manage the risk and choose a partner that can help you bring a world-class IACS solution to your business in a cyber secure, safe manner.
 Cybersecurity Risk Management and Insurance, https://www.actuaries.org.uk/documents/c8-cybersecurity-risk-management-and-insurance , Jan 6, 2014
 Examining the costs and causes of cyber incidents, Sasha Romanosky, https://academic.oup.com/cybersecurity/article/doi/10.1093/cybsec/tyw001/2525524/Examining-the-costs-and-causes-of-cyber-incidents