By Shankar Bhaskaran, Managing Director – India, MetricStream
Today, businesses in all industries have digitized not just as an operational improvement, but as an inevitable requirement. However, the surge in the number of digital terminals has also led to an increase in the level of cyber risk that organizations have to deal with.
This brings us to the next question: do organizations still view cybersecurity as a technology risk that can be managed by IT alone? It is high time for the thinking process to change, as cybersecurity is now a major business risk thanks to changing workplace dynamics and the interconnected nature of advanced IT infrastructures.
Cyberattacks, data breaches and financial losses do not just affect IT systems, but are known to compromise the ability of the entire organization to function normally, affecting overall business continuity.
In June, Swiss airspace was closed to traffic for security reasons after a computer
breakdown with its air traffic control service. Similarly in India, a major airline was forced to cancel several flights after a major ransomware attack. Other airlines have also been targeted. This has caused delays, cancellations and business interruptions.
These incidents are clear examples of how cyberattacks can impact businesses today, a fact also supported by studies. A 2021 Gartner board survey found that 88% of boards now view cybersecurity as a business risk, up 30% since 2017. Ultimately, a cyber breach can lead to financial losses, reputational damage, legal problems, regulatory fines and even business closures.
It can also affect the supply chain, customers and even partner ecosystems.
Top reasons why cyber risk is now a business risk
There are a multitude of reasons why cyber risk is now widely considered a business risk. Some of these reasons are:
Third-party risks: At a time when third parties are prevalent throughout an organization’s supply chain, they are high on the list of cyber risks. The Forbes CyberRisk Alliance 2022 survey of 301 IT and cybersecurity decision makers and influencers who have worked with external vendors found that 95% of organizations partner with IT software, platforms or service providers. Findings from another study, Third-Party Risk: A Turbulent Outlook Survey Report 2022, also point to an accelerating threat from extended IT vendors and third parties.
Up to 60% of respondents said they had experienced an IT security incident in the past two years due to a third-party partner with access privileges.
Critical infrastructure vulnerabilities: Today, critical infrastructure within organizations is becoming more complex and dependent on networks of connected devices. As expected, the vulnerability of this infrastructure to cyberattacks and technical failures is a major concern. The software is no longer code written in-house as it once was, but has moved to an amalgamation of components including custom code, open source software, third-party proprietary libraries, and external APIs.
This has amplified the scope of cyber risk. The Log4j vulnerability, discovered in December 2021, which caused 100 new hacking attempts every minute, is a major example.
Rise in cyberattacks and ransomware: Business disruption from cyberattacks and ransomware attacks is costly on many levels. Downtime, expense and reputational costs can range from hundreds of thousands of dollars to closing a business. The World Economic Forum highlighted cyberattacks as the No. 5 ranked risk in 2020 and has become the new normal in the public and private sectors, which is expected to double by 2025.
Cloud Security Risks: Cloud usage has increased dramatically over the past few years, especially in the aftermath of the pandemic. However, if cloud data is compromised, businesses run a huge risk of loss, with revenue, reputation, and business continuity being table stakes. According to an IBM study, the average cost of a data breach is approximately $8.64 million and it takes a business nearly 280 days to detect, fix and recover. Also, chances are that many companies won’t even survive a major breach.
How can organizations cope with an expanding risk landscape?
Every business must take steps to protect themselves and prepare for attacks. Understand the risks
related to cyberattacks can help organizations plan how best to manage risk. The risk approach model should be a multi-pronged approach with elements of response, recovery and prevention in the future. Business leaders need a comprehensive risk management platform that can give them a holistic, unified view of risk. An AI-powered governance, risk, and compliance (GRC) platform that offers an integrated approach to GRC is the key to bringing it all together.
When powered by AI, Connected GRC software provides a holistic framework for businesses to work in – from compliance to IT security, legal, information and auditing, AI creates a powerful mechanism allowing companies to better protect themselves.
These integrated programs facilitate collaboration, accurate insights, and intelligence gained through both machine learning and human observations. AI-based risk quantification platforms also enable closer alignment with boards and executives. CXOs can better understand how exposed their business may be to cyber risk and what is at stake in rupee or dollar value. CISOs can be specific about the impact of cyber risks such as data breaches, identity theft, and infrastructure downtime.
Using AI, decision makers can see the big picture, connecting the dots across large datasets that were previously overwhelming to manage. In general, creating a culture of safety should be a priority for every organization. While empowering employees to play a key role in protecting the organization is one way, another important one is investing in robust systems that can leverage actionable business intelligence to make informed decisions. on cyber resilience data.
This can only be made possible if organizations start looking at cyber risk not in isolation, but holistically as a measurable business risk that can
be predicted and prevented.