As the incidence of cyberattacks rises, organizations need to be better prepared to mitigate such events. Cybercriminals are increasingly gaining access to tools like ransomware, making it easier for them to launch attacks, and consequently, it is imperative that organizations have a defined cyber risk management strategy to deal with these attacks.
Interestingly in the past year, even Canada with its relatively small market size had the third highest rate of cyberattacks in the world according to a recent study. Costs of dealing with cyber breaches are on the rise as well, with Canada having some of the highest. In 2018, the average cost of a cyber breach was US$ 3.86 million, up by 6.4% from the year before. A possible reason for this is the troubling trend found by the Canadian Internet Registration Authority (CIRA) that showed 37% of survey respondents didn’t have malware protection, and 71% didn’t have a patching policy.
With such troubling trends, it’s clear that cyber risk should be high on the priority list for organizations to mitigate. There are a few key factors that organizations should consider easing the process of dealing with a cyber attack as it unfolds.
Clear Communication of Cyber Risks to the Board
In the event of a cyber breach, a CIO will jump in to evaluate the risks, the possible cost of the breach, and implement the organization’s risk mitigation strategy (which they hopefully have in place, see why below). This process is developed from a deep understanding experience of cybersecurity and is one that might not necessarily translate to the board. As such, a key portion of the board risk reporting should be an awareness of where the board’s understanding of cybersecurity and bridging the gap in cyber risk thinking between the technology team and the board. The board might consider a breach as a non-issue and put it low on the list of priorities to deal with. They need to be primed and informed proactively that if a cyberattack were to hit the company, what the effects will be in terms of real dollars (not to mention company reputation and information security), why they need to be concerned, and how to proceed post-breach. This will create a greater understanding of cybersecurity in the board’s mind and place it higher on their list of priorities.
Having a Defined Cyber Risk Management Strategy
A cyber risk management strategy will let you get out in front of the cybercriminals and give you a clear blueprint to follow in order to mitigate the breach. Imagine a DDoS attack that shuts down company servers, preventing potential clients from engaging with your website, and causing a drop in purchases (read: revenue). A defined risk strategy will allow for the attacks to be quickly mitigated and minimize the hit to your balance sheet.
Another asset that can be affected by a cyberattack is company reputation – it is intangible, yet invaluable. The Equifax breach should be a case study in the book of terrible cyber risk strategy management. The company announced the breach on September 7, 2017. The first time it noticed suspicious traffic was on July 7, after which an independent cybersecurity firm was hired to conduct an investigation into the attack, which started on August 2. These large time gaps show that Equifax was scrambling to find a way to mitigate the attack or were simply lazy (which is even worse). To make matters worse, Equifax executives sold $1.8 million in company stock between August 1 and 2, creating the impression that they knew of the breach (although they denied it) and further damaging company reputation.
With new and increasingly dangerous cyberattacks being staged by criminals, cyber risk mitigation should be a cornerstone of an enterprise’s risk management framework. Pertinent to this is board communication and is crucial in providing an organization with a response plan following a cyber breach.