[BreachExchange] Assessing Cyber Risk: Metric of the Month

[Sophia Kingsbury]

https://www.cfo.com/risk-management/2021/06/assessing-cyber-risk-metric-of-the-month/

An employee recently received an email from me, letting him know that I was
in an important meeting and asking if he could text me. The only problem
was that it wasn’t me. “Fake Perry,” as we call the would-be scammer, had
been messaging our employees in an attempt to gain access to the company’s
accounts.

If Fake Perry had gotten the employee’s number, the next step would have
been to call the phone company and have the employee’s number forwarded to
his phone, which would have made it much easier to hack into our accounts.
Thanks to our employees’ vigilance and the cybersecurity training we gave
them, no one fell for it.

We enjoy making fun of Fake Perry, but we take cybersecurity seriously, and
you should, too. Hackers have successfully extracted millions of dollars in
ransoms from organizations like schools and hospitals. More recently, the
Colonial Pipeline hack left much of the southeastern U.S. reeling from gas
shortages and surging gas prices. Cyber-criminals will come for your
organization eventually if they haven’t already. What are you doing to
identify and assess your cyber risks?

Our recent enterprise risk management survey asked respondents to identify
the percentage of their top risks that fall into categories, including
strategic risk, operational risk, financial risk, and cyber risk. We found
that 1 out of every 10 top risks assessed by respondents fell into the
cyber risk category, both at the 25th percentile and at the median.
Organizations in the 75th percentile said that one-fifth of their top risks
were cyber risks.

Organizations in the median and 25th percentiles aren’t necessarily falling
behind — it’s good that cyber risk is at least on their radar. At the same
time, it would make sense for organizations to assess more cyber risks
among their top risks, given the financial and operational damage these
attacks can threaten.
Protecting Your Business

Taking steps to address cyber risk is in every organization’s interest
because it’s not a question of whether, but when, these attacks will occur.
And there’s no question that a successful breach of your systems will take
a financial toll. For that reason, CFOs and other finance leaders cannot
afford to shrug off preparation for cyber risk as just another item on IT’s
checklist. Below, we discuss three recommendations based on the moves we
see top companies making.
1. Invest in Preparations for Cyber Risk

Committing resources to protect your organization against cyber risk is
always a smart investment. It’s better to commit these resources upfront to
prevent or mitigate attack damage. Otherwise, you’ll pay on the back end
once the ransom is due or customers’ data has been compromised. If you have
the resources, now is also a good time to invest in tools that help verify
whether vendor payment requests are valid and flag suspicious transactions.

Preparation for cyberattacks also means training employees, so they are
familiar with the typical approaches hackers take. Assuming that all
employees are savvy enough to read the signs of an attempted attack could
be an expensive mistake. Basic security features like two-factor
authentication are very effective if employees learn how to use them.
2. Assess Cyber Risk

At a high level, assessing cyber risk looks much the same as any other
enterprise risk assessment. You’ll need to identify the areas most prone to
risk and assess whether the existing controls and safeguards keep the risk
below the organization’s level of risk appetite. Cyber-risk assessment
should also include IT penetration testing and implementing filtering
systems for suspicious or external emails. Along with these steps, make
sure you have action plans so that you’re not left scrambling when an
attack has already happened.
3. Make Sure Policies Are Clear and Employees Follow Them

One common form of cyberattack involves seemingly legitimate payment
requests from vendors that ask an organization to change the accounts to
which payments are made. To ensure that requests from bad actors don’t get
processed, it’s critical to establish clear treasury policies that every
employee follows to the letter.

Unfortunately, we found through our recent treasury research that many
organizations struggle in this area. Fewer than half of the respondents to
our treasury survey reported that their organization extensively
communicates treasury policy. That means more than half of respondents
probably don’t do a great job making sure treasury policies are clear.

Nearly half of those surveyed said that employees don’t adhere to the
established policy very closely either. With cyberattacks on the rise, it’s
simply not worth taking unnecessary risks; even a single employee who plays
fast and loose with the policy could cause financial damage.

Given the growth of cyberattacks and the guarantee that they will continue,
it’s time to redouble the organization’s efforts to assess, prioritize, and
mitigate cyber risks. Investments in this area will pay off down the road,
either by preventing cyberattacks or lessening the damage they do. We might
not all be responsible for ensuring that gasoline is flowing to a large
region of the U.S. Still, these attacks threaten significant damage to a
business and its customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210601/9b7e8c08/attachment.html>