As the frequency of cyberattacks keeps rising, organizations need to be better prepared to mitigate such events. Cybercriminals are increasingly gaining access to tools such as ransomware, making it easier for them to launch attacks, and consequently, organizations must have a defined cyber risk management strategy to deal with these attacks.
In 2018, the average cost of a cyber breach was $3.86 million, up by 6.4% from the year before. The stats have doubled in percentage, bringing the total cost of a cyberattack to $4.6 million in 2019. The high cost of a breach is due to inadequate or non-existent protection against a hack. And so, the Canadian Internet Registration Authority (CIRA) was researching this troubling trend and revealed that 37% of survey respondents didn’t have malware protection, and 71% didn’t have a patching policy in place. With such troubling findings, it’s clear that cyber risk should be high on the priority list for organizations to mitigate. There are a few key factors that organizations should consider implementing to ease the process of dealing with a cyberattack as it unfolds and protecting against another occurrence.
Clear Communication of Cyber Risks to the Board
In the event of a cyber breach, a CIO or similar team will jump in immediately to evaluate the risks. Once an analysis of the situation is complete, the team should begin implementing the organization’s risk mitigation strategy (if it exists). Understanding the cost of the situation is pertinent to report back to the rest of the executive team to understand how much damage was done.
This process is developed from a deep understanding and experience of cybersecurity and is one that might not necessarily translate to the board. As such, a key portion of the risk reporting should be an awareness of where the board’s understanding of cybersecurity lies and bridging the gap about cyber risk thinking between the technology team and the board. The board might consider a breach as a non-issue and put it low on the list of priorities to deal with. They need to be primed and informed proactively that if a cyberattack were to hit the company, what the effects will be in terms of real dollars (not to mention company reputation and information security), why they need to be concerned, and how to proceed post-breach. This will create a greater understanding of cybersecurity in the board’s mind and place it higher on their list of priorities.
Having a Defined Cyber Risk Management Strategy
A cyber risk management strategy will let you get out in front of the cybercriminals and give you a clear blueprint to following order to mitigate the breach. Imagine a DDoS (distributed denial-of-service) attack that shuts down company servers, preventing potential clients from engaging with your website, and causing a drop in purchases (read: revenue). A defined risk strategy will allow for the attacks to be quickly mitigated and minimize the hit to your balance sheet.
Another asset that can be affected by a cyberattack is company reputation – it is intangible, yet invaluable. Having already mentioned the Equifax breach in this blog setting, it is important to remember the case study and the company’s poor management of cyber risk. The company announced the breach on September 7th, 2017. The first time it noticed suspicious traffic was on July 7th, after which an independent cybersecurity firm was hired to investigate the attack, which started on August 2nd. These large time gaps are an example of Equifax scrambling to find a way to mitigate the attack at the last minute, or being lazy (which is even more unfortunate). To make matters worse, Equifax executives sold $1.8 million in company stock between August 1st and 2nd, which created the impression that they knew of the breach (although they denied it) which further damaged the company’s reputation. Imagine how current customers must feel since the breach; what would make a potential customer want to sign up for their services after such an occurrence (and feel confident about their security)?
To sum it up!
With new and increasingly dangerous cyberattacks being staged by criminals, cyber risk mitigation should be a cornerstone of an enterprise’s risk management framework. It is pertinent to board communication and is crucial in providing an organization with a response plan following a cyber breach. Another huge part of risk management and prevention is teaching employees what to look for and being able to identify suspicious activity. In our most recent webinar, we discussed what a ransomware attack looks like and illustrate ways to prevent it from the start. Watch today!