[BreachExchange] The one major blind spot in most cyber risk strategies

[Audrey McNeil]

http://globalriskinsights.com/2017/04/one-major-blind-spot-
cyber-risk-strategies/

Cyber risk is rapidly becoming one of the most significant existential
threats to businesses, institutions and other actors and their reputations.
Living with an open-ended risk, potential targets of cyber-attacks are now
– more than ever – under high pressure to build more effective and broad
spectrum, resilient capacities. One key focus that gets overlooked:
reputation.

2016 recorded a new peak in cyber-attacks. Be it cyber extortion, corporate
espionage & state-sponsored attacks, bank fraud, data manipulation, theft &
kidnapping (ransomware) or hacktivism: sources of cyber risk are growing
more complex and versatile making it highly difficult to prepare for them.
More importantly, everyone and everything has become a target including
corporations, governments, political institutions and security authorities.
The key message is: anyone can be hit at any time.

Therefore, ramping up one’s efforts for ensuring the highest cyber security
level possible must be a key priority on everyone’s agenda as this can also
be turned into a competitive edge.

Despite this dramatic recent increase in cyber-attacks, potential targets
still seem to heavily underestimate the reputational damage an attack can
entail. Moreover, the wider repercussions of these attacks are decisively
dependent on how a target will ultimately handle the internal and/or
external communications crisis vis-à-vis the cyber crisis itself as both
crises are closely intertwined and have to be resolved via a concerted
effort.

Against this backdrop, building cyber resilience capacities must be seen
through various lenses, not only a technical one, and cyber security
communications is one of them.

Cyber risk today

Cyber-attacks reached record levels in 2016: the damage to the global
economy is estimated to exceed $400 billion a year. In 2015, more than 500
million personal records were stolen. The wider cyber risk landscape has
significantly increased in volatility and its underlying risk taxonomy has
grown more complex. Consequently, this means that a target’s potential
attack surface has dramatically expanded based on myriad cyber risk
vectors; ranging from human errors (caused by employees), technological
risks (originating in hardware, software & information systems failures and
the overall introduction and increased connectivity of new technologies),
compromised received data from business partners and customers, compromised
data storage centers and platforms, failed internal processes (such as
product development, design and execution processes) to external events
(such as natural disasters, legal and regulatory issues).

The risk of reputational suicide

The loss of reputation is the one of the most underrated corporate and
institutional risks in the cyber security realm. This is also due to the
fact that when suffering a data breach for instance, targets still mostly
treat it as an internal, purely technical issue with no cross-departmental
cooperation required.

By focusing on a broad spectrum crisis preparedness and response strategy,
every potential target needs to adopt a communicative lens as well since at
least one third of customers impacted by a data breach will never do
business with the affected company ever again. The potential level of
customer base loss is also affected by the way the target is communicating
the crisis with all relevant stakeholder groups.

Cyber risk constitutes a tail risk causing extreme losses to companies,
institutions and authorities. It directly hurts company value and the
overall trust of customers and citizens in corporations, governments,
institutions and security authorities. Moreover, public opinion
materialises very quickly, but it takes a very long time to re-shape it.
This means that if a targeted actor is perceived to fail in managing a
cyber-attack properly, this perception will remain for a long time to come.
By not building resilience will cause “reputational suicide“ which can be
fatal for any organization. This is also aggravated by increased media
focus on cyber attacks which has certainly raised the stakes on how
companies and other actors respond.

Key challenges of cyber security communications

Building cyber risk resilience requires a systematic approach. In order for
crisis communications to take full effect during an ongoing crisis, actors
have to adequately prepare themselves based on a 360° approach regarding
various stakeholder groups. Interestingly, IT departments on the front line
of cyber attacks generally have no understanding of and experience in cyber
security communications, often creating failed cross-departmental
information sharing behavior.

In this respect, the greatest challenges lie with the potential
misconceptions about the significance of risks on the one hand – the fact
that in most cases neither the attacker(s) nor his / their intentions are
known – and whether cyber risk is considered more a specialized rather than
a normal risk, on the other. Another challenge originates in the high
volatility and dynamism of cyber incidents making it very difficult to
quantify damages and communicate the urgency of an attack since the impact
and scale of an attack tend to increase over time. Additionally, cyber risk
acts cross-functionally and must be treated as an overarching business
challenge that requires leadership, therefore it must be seen as a
board-level issue. Furthermore, cyber security will always be imperfect as
cyber risks are open-ended in nature and require constant adaptation and
trade-offs that may directly affect operations.

Nevertheless, an effective, versatile and adaptive cyber security
communications strategy constitutes both a clear-cut competitive edge and
opportunity to better understand corporate strengths and weaknesses. All in
all, cyber resilience is mostly technical in nature, but consists of
various dimensions. Only actors that are aware of the latter point will be
able to prepare themselves for a live attack in a way that will allow them
to effectively limit the damage or even fully protect their reputation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170427/ea920c5a/attachment.html>