Any informed investor will tell you that cyber risk is an important part of understanding your overall risk profile. Cyber events can impact everything from your P & L to brand reputation, and even staffing in some situations. It’s an unfortunate reality if you want to conduct business in the modern world. The question is, how can you measure your risk, and much weight should you give to each variable in so doing? Most existing standards will give you an overall baseline score of how well you are following best practices, but can’t give you a concrete answer to the most important question: how likely are you to be successfully attacked? In an attempt to modernize the way we communicate with our business counterparts and leadership boards about risk, a collaboration between the well-known Ponemon Institute and Trend Micro has resulted in the publication of a new study, The Cyber Risk Index (CRI). Researchers were seeking to bridge the gap between preparedness and likelihood of a successful attack.
CRI Framework Overview
The Cyber Risk Index measured 5 key areas: Data Risk, Cyber Risk, Infrastructure Risk, Human Capital Risk, and Operational Risk. Each of these categories tend to bleed over into one another, but having distinguishing them allowed researchers to evaluate general cyber posture from 5 different perspectives, and results were compared by geographical region. Results indicated that North American companies are at a significant disadvantage in comparison with companies elsewhere in the world, a fact we will dig into a little bit to explore potential causes.
Categories are Interconnected
Modern attack types are often layered, or multi-step, so a number of attack types may be leveraged as part of the same overall attack. Rarely does a bad actor level a one-layered, single-step attack anymore, because they are too easy to detect and mitigate. A cyber criminal’s goal is to circumnavigate your defenses, not lob softballs to your security team. For example, a malware/ransomware attack may begin with social engineering, which typically leads to a loss of credentials. Those credentials can then be used for hacking, malware, business email compromise attacks, etc. Nevertheless, researchers work to keep track of frequency of each attack type, even if they are leveraged in combination with one another. The 2021 Verizon Data Breach Investigations Report (DBIR) found that the vast majority of social engineering attacks that led to a data breach last year were categorized as phishing. The report notes that “Business Email Compromises (BECs) were the second most common form of Social Engineering. This attack scenario reflects the meteoric rise of Misrepresentation, which was 15 times higher than last year in Social incidents” (Verizon 2021).
Data Risk
Generally, the most important digital asset an organization has to protect is its data. Whether it’s confidential business information, consumer data, protected health information (PHI), or valuable analytics, losing access to or having your sensitive data stolen can be catastrophic. According to the 2021 Cost of a Data Breach Report (IBM) a single data breach last year cost the victim organization $4.24 million on average. Not exactly chump change. So, while you have other risks to consider, one of the most important lenses that environments were evaluated through in this study was Data Risk.
The efficacy and alignment of your data governance processes as they relate to your organization’s business model and goals have tremendous downstream impact on how well sensitive data can be protected. Given the way data changes over time, ensuring that it is properly mapped, prioritized by criticality, and protected with the appropriate mitigating controls can be an overwhelming task. Yet, to communicate your security posture and evolving budgetary needs clearly with boards, it is essential to have point-in-time evaluations of the risk to your organization’s data. When you can identify gaps in your strategy and are able to build a business case around the actual threat to your company, you are likely to have support for whatever projects or initiatives you need to undertake to remediate.
In Part II, we will jump into Cyber Risk, Infrastructure Risk, Human Capital Risk, and Operation Risk – how they are distinct from one another, what impact they have on your organization, and the specific Top 5 Risks that the CRI found to be associated with each.
In the meantime, if you are interested in learning more about point-in-time assessments, including the CRI, we’d love to talk with you. Our Risk Advisory Team maintains certifications and vast experience across a number of compliance and cybersecurity frameworks, with subject matter experts who specialize in each.
Feel free to reach out any time and Request a Consultation with one of our team members.
Learn more about us at https://truedigitalsecurity.com/managed-cyber-compliance .
