Is Your Organization Treating Cyber Risk as a Business Risk?IT Risk & Cyber Risk | 4 Min Read |27 July 22|by Patricia McParland
You may think of cyber risk as a technology risk – but it’s also a top business risk! Consider these recent headlines:
- The BBC announced that the Swiss airspace was closed for hours and flights in and out of Switzerland were suspended because of a computer failure at air traffic control service Skyguide.
- The New York Times published a news story of how a cyberattack on a supplier to the auto giant Toyota stopped production in Japan.
- CBS News reported how a ransomware attack that prevented Lincoln College, Illinois, from accessing data used for student recruitment, retention, and fundraising efforts was one of the major reasons for the 157-year-old educational institution to shut down.
All of these news stories point to how the impact of cyber incidents today leads to serious business consequences. Cyber risk can no longer be viewed as merely an ‘IT problem’. Cyber incidents in the connected ecosystem can lead to financial losses, reputational damage, legal issues, regulatory fines, and even business closures. Leaders are well aware of this. As per the 2021 Gartner Board of Directors Survey, 88% of boards now view cybersecurity as a business risk—up by 30% since 2017.
Top Reasons Why Cyber Risk is Now a Business Risk
Multiple reasons have led to cyber risk being increasingly viewed as a business risk. Here are the most important that top the list:
- Software insecurities in critical infrastructure: To drive innovation and time-to-market demands, software has migrated from internally written code to a combination of software components including custom code, open-source software, third-party proprietary libraries, and external APIs. This has increased the scope of cyber risk. The recent Log4j vulnerability, discovered in December 2021, which resulted in 100 new hacking attempts every minute, is a prime example.
Chris Inglis, National Cyber Director, commented on the situation saying that the Log4j vulnerability "has highlighted the need to improve our software security and the transparency of our software supply chain." The vulnerability still has the potential to be exploited today and still requires vigilance.
- IT vendor risk: Headlined by the discovery of the SolarWinds attack in December 2020, supply chain attacks have steadily risen through 2021 and 2022. In Third-Party Risk: A Turbulent Outlook Survey Report 2022, the survey findings highlight an accelerated threat from IT vendors and third parties. 60% of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges.
More alarming to note was that the same number was also the most likely to have sensitive data stolen or suffered some type of business outage.
Download the report: Third-Party Risk: A Turbulent Outlook Survey Report 2022
- Cloud security gaps: With almost every organization having adopted cloud computing to some degree, the gaps in cloud security continue to increase cyber risk. The September 2021 OMIGOD vulnerability, remained a critical vulnerability until the patch was released. Organizations too are concerned.
Check Point’s 2022 Cloud Survey report found that 66% of organizations are concerned about cyber risk involving the exposure of sensitive data on the cloud, while 42% were concerned about legal and regulatory compliance with data protection regulations like PCI DSS and HIPAA.
An emerging way to address cloud security and compliance requirements is continuous control monitoring, or CCM. CCM automatically tests security controls and collects evidence of effectiveness, improving compliance and lessening reliance on outdated manual testing protocols.
- Increase in cyberattacks and ransomware: Cyberattacks continue to rise—both in number and in sophistication. Accenture's State of Cybersecurity Resilience 2021 study found that there were on average 270 attacks per company over the year, which was a 31% increase compared to the previous year.
Ransomware continues to be a constant threat affecting organizations across sectors. As per the State of Ransomware in the US study, an estimated 77 state and municipal governments and agencies, 1,043 schools, and 1,203 healthcare providers ended up as victims in 2021.
Read the eBook: Five Critical Capabilities for Effective Cyber Risk Management
Build Cyber Resilience with MetricStream CyberGRC
MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers your organization to connect cyber risk data from across the enterprise and leverage actionable business intelligence to make data-driven decisions to build cyber resilience.
MetricStream CyberGRC further enables your organization to effectively manage and mitigate cyber risk by:
- Quantifying of cyber risks in monetary terms to assess risks more accurately, communicate the risk more effectively, and make better-informed cyber investment decisions
- Leveraging intelligent issue and remediation to document, investigate, and resolve IT compliance and control issues in a systematic, automated manner
- Strengthening visibility into the overall compliance profile with intuitive dashboards and real-time reports
- Harmonizing controls across multiple IT regulations and frameworks, improving compliance and saving effort and costs
- Proactively managing and mitigating IT and cyber risks by continuously monitoring controls for effective cyber risk management
Want to learn more about how MetricStream CyberGRC can help build cyber resilience? Write to me at firstname.lastname@example.org. You can also request a customized demo to see how our product works.