By Shankar Bhaskaran, Managing Director – India, MetricStream
Businesses across industries today have become digitized not just as an operational enhancement but as an inevitable requirement. However, the spike in the number of digital endpoints has also meant an uptick in the level of cyber risk that organizations must deal with.
This leads to the question, are organizations still looking at cybersecurity as a technology risk that can be handled by the IT department alone? It’s high time the thought process changes because cybersecurity is now a leading business risk thanks to the changing workplace dynamics and the interconnected nature of advanced IT infrastructures.
Cyberattacks, data breaches, and financial losses are not just affecting IT systems but are known to compromise the entire organization’s ability to operate normally, affecting overall business continuity.
In June, the Swiss airspace was closed to traffic for security reasons after a computer
failure with its air traffic control service. Similarly in India, a major airline was forced to cancel several flights after a major ransomware attack. Other airline companies were also targeted. This caused delays, cancellations, and business disruptions.
These incidents are clear examples of how cyber attacks today can impact businesses, a fact supported by studies too. A 2021 Gartner Board of Directors Survey has said that 88% of boards now view cybersecurity as a business risk—up by 30% since 2017. Ultimately, a cyber breach can lead to financial losses, reputational damage, legal issues, regulatory fines, and even business closures.
It can also affect the supply chain, clients, and even partner ecosystems.
Key reasons why cyber risk is now a business risk
There are a host of reasons why cyber risk is now largely being viewed as a business risk. Some of these reasons are:
Third-party risks: At a time when third parties are prevalent throughout an organization’s supply chain, it tops the list of cyber risks. The 2022 Forbes CyberRisk Alliance survey that surveyed 301 IT and cybersecurity decision makers and influencers who worked with outside vendors, found that 95% of organizations partner with IT software, platform, or service providers. The findings of another study, the Third-Party Risk: A Turbulent Outlook Survey Report 2022 also highlight an accelerated threat from the extended IT vendors and third parties.
As many as 60% of respondents said they experienced an IT security incident in the past two years due to a third-party partner with access privileges.
Critical infrastructure vulnerabilities: Today, critical infrastructure within organizations is becoming more complex and reliant on networks of connected devices. Expectedly, the vulnerability of this infrastructure to cyber-attacks and technical failures is a huge concern. Software is no more internally written code like in older times but has moved to an amalgamation of components including custom code, open-source software, third-party proprietary libraries, and external APIs.
This has amplified the scope of cyber risk. The Log4j vulnerability, discovered in December 2021, which resulted in 100 new hacking attempts every minute, is a major example.
Rise in cyberattacks and ransomware: Business disruption as a result of cyberattacks and ransomware attacks is expensive on many levels. The downtime, expenses, and reputational costs can range from hundreds of thousands of dollars even leading to shutting a business down. The World Economic Forum has pointed out that cyberattacks were the No. 5 rated risk in 2020 and have become the new norm across both the public and private sectors, expected to double by 2025.
Cloud security risks: Cloud usage has risen significantly over the last few years, especially in the aftermath of the pandemic. However, if cloud data is compromised, companies are at a huge risk of loss with revenue, reputation, and business continuity being table stakes. As per an IBM study, the average cost of a data breach is approximately $8.64 million, and it takes almost 280 days for a company to detect, remediate, and recover. Besides, there are high chances that many companies may not even survive a seminal breach.
How can organizations deal with an expanding risk landscape?
Every business must take steps to protect and prepare for attacks. Understanding the risks
connected to cyber-attacks can help organizations plan the best way to deal with the risks. The blueprint to approach risk should be a multi-pronged approach with elements of response, recovery, and prevention in the future. Business leaders need a comprehensive risk-management platform that can give them an overarching and unified view of risk. An AI-enabled Governance, Risk, and Compliance (GRC) platform that offers an integrated approach to GRC is the key, to bringing everything together.
When powered by AI, Connected GRC software provides an overarching framework for companies to work within—from compliance to IT security, legal functions, insights, and audits, AI creates a powerful mechanism for companies to best protect themselves.
These integrated programs help with collaboration, sharp insights and intelligence gained both from machine learning and human observations. AI-based risk quantification platforms also enable a tighter alignment with Boards and executives. CXOs can better understand how much their business may be exposed to cyber risks and what is at stake in rupee or dollar value. CISOs can be accurate about the impact of cyber risks like data breaches, identity theft, and infrastructure downtime.
Utilizing AI, decision makers can see the bigger picture, connecting the dots through large data sets that were previously overwhelming to manage. In general, building a culture of security should be a prime focus for every organization. While empowering employees to play a key role in protecting the organization is one way, another important one is to invest in robust systems that can leverage actionable business intelligence to make data-driven decisions toward cyber resilience.
This can be made possible only if organizations start looking at cyber risk not in isolation, but in a holistic way as a measurable business risk that can
be predicted and prevented.