Businesses struggle to define and quantify strategic cyber threats to their operations, leaving decision-makers unprepared and under-informed as to the nature, extent, and severity of the risk they are facing. As new sales technologies emerge, driving towards ever more efficient commerce, whether, in the B2B or B2C space, it is critical that organizations redefine cyber threats from one of a technical nature to understanding cyber threats as a business risk.
A recent JLT sponsored survey by Harvard Business Review Analytics Services revealed a startling disconnect: while 85 percent of firms believe that the economic costs from cyber attacks will increase in the coming year, only 23 percent have adopted a strategic plan to address business risks. The collective failure to define potential cyber threats in terms of their resultant business impacts – e.g., B2C losses, B2B sales impacts, and revenue or EBIDTA analyses – leaves businesses guessing what the impacts might be, an approach fraught with risk.
Three emergent trends pose unique risks that will challenge even the most sophisticated organizations: i) the scaling of cyber attacks, in terms of both severity and frequency, is posing strategic business risks; ii) systemic risks to the net viability require new approaches to modeling business continuity; and iii) the shifting economics of threats are not well understood.
Scaling Impacts of Attacks
The increasing frequency and severity of cyber attacks continue to strain organizations’ ability to defend their operations effectively.
Illusion of Control
As the WannaCry and nonPetya viruses swept the globe, impacting more than 100 countries and triggering billions in losses, many organizations fell victim to the illusion of control. The immediate sense was that the victims were those running older systems (e.g., Windows XP) or employing poor patching policies. Yet, some exceptionally sophisticated organizations fell prey to these attacks creating significant B2B impacts and potential market share losses.
Network interruption attacks are becoming increasingly daunting. The October 2016 attack on Dyn, a domain name server company, was the largest DDoS attack witnessed to date, reaching 1TBps, PayPal, The New York Times, and Facebook operations, among hundreds of others. None of these companies were the targets of the attack, yet they fell victim to its effects.
Similarly, the tight coupling of our systems today points to the hazards of the system or human error.
It is critical that organizations redefine cyber threats from one of a technical nature to understanding cyber threats as a business risk
The Amazon Web Services S3 interruption impacting thousands of businesses and the Google error that reduced Japan’s internet traffic by nearly 50 percent suggest a fragility of our networks that remains elusive to define yet can present significant risks to nearly any business activity and certainly emerging sales technologies.
These incidents point to a need for a revised approach to modeling these cyber threats – whether adversarial or system error – in much the same way as organizations model natural catastrophe impacts to their operations. Said differently, as sales technologies continue to evolve, an ‘upstream’ and ‘downstream’ analysis of the risk must be conducted to identify where risk flows into a business and where it flows out creating third party liabilities and risking B2B impacts. While IT departments rigorously screen its vendors for security concerns and legal teams review contract indemnity language for vendors, the new reality of large impact and systemic risk impacts means that ‘digital supply chain’ analyses must be conducted across the breadth of an organization’s activities.
Simply put, large scale, and routine disruptions to critical portions of network traffic, and internet activity must be accounted for at strategic levels.
Shifting Economics of the Threat
Too often, leaders assume a linear approach to risk identification where critical IT systems or business processes are listed as single items in a risk register. However, true value generation within firms results from the intersection of multiple processes and systems. Yet, too few map these intersections to truly understand the value at risk within a business. As emerging payment systems and new sales technologies proliferate, the importance of identifying ‘crown jewels’ and points of risk aggregation throughout a firm’s digital ecosystem will become even more critical.
Have We Learned the Wrong Lessons?
Ransomware and Business Email Compromise (BEC) dominate the headlines, and for good reason. In 2016, it was estimated that ransomware payments totaled more than $1B while BEC threats garnered nearly $5B over the past four years. Despite how significant these figures are in the aggregate, the risks to any one organization have been relatively small. However, the severity of the risk may be changing.
When considered in light of the forthcoming European Privacy laws (GDPR, May 2018) where up to four percent of global turnover may be at risk, one can foresee new realities of extortive threats that will change the landscape as we consider new B2C sales technologies.
Even within this context, there is much we can (and must) do to counter today’s threats while preparing for tomorrow’s risks.
- Businesses must re-conceptualize cyber risk in business terms. By doing so, they can gain clarity around the true nature of first and third party liabilities, as well as potential lost business opportunities.
- Develop sensible metrics to evaluate the cyber risk: i) measure the volatility of cyber risk across business units; ii) conduct a financial stress test to capture revenue or EBITDA impacts; iii) evaluate the efficiency of risk capital against volatility of the risk; and iv) examine the potential market cap impacts from cyber attacks.
- Hedge the risk. Cyber insurance acts as a hedge against balance sheet impacts. In this manner, insurance works as a compensating control and should be viewed as an asset that can ‘compress’ financial impacts following a breach.
Fundamentally, businesses today face a war of attrition while they move to defend an increasingly dynamic attack surface. Unfortunately, organizations have to succeed every day, while attackers only have to succeed once. The asymmetry of the situation is overwhelming, yet the adoption of new approaches to mapping the risk, measuring the financial volatility of the risk, and evaluating the efficacy of its risk capital can position firms for success in this era of strategic insecurity.