Cyber Security Risk Management: Finding and Fixing Your Security Vulnerabilities
Increased automation and artificial intelligence have made cyber security preparations a vital piece of any risk management program. In this session at the RIMS 2019 Conference and Exhibition, panelists spoke about our growing dependence on cyber networks and the scale of the threats we should be addressing.
Speakers included:
- Philip Renaud, Executive Director, The Risk Institute
- James Trainor, Senior Vice President, Aon’s Cyber Solutions Group
Cyber breaches can be extremely expensive for an organization. The Equifax breach cost the company $600 million. After the Cambridge Analytica situation, Facebook lost $134 billion in market value, not to mention reputation impact. The importance of preparing for cyber risk and developing the ability to be resilient in the face of such breaches cannot be overstated. In order to properly prepare for the possibility of a breach, an organization’s cyber risk management program should include multiple functional areas. Risk management, Security, Legal, Human Resources, Project Management and Business representatives should all be included in the development and execution of any plan.
Cyber Threat Landscape
Role of government – Many government agencies participate in the identification and investigation of cyber breaches, including the FBI, Homeland Security, Department of Defense, NSA and CIA.
Volume of cases – The FBI has about 2,600 computer intrusion cases at any given time.
Types of attacks – Cyber breaches include Business Email Compromise (BEC), Cryptojacking, Doxing, Extortion, Ransomware, Theft of Data, Website Defacements and many more.
Information Sharing – The government tries to learn from each breach and share that information with the business community in order to prevent future breaches.
Who commits these breaches – There are five types of actors that commit cyber crimes: Nation States, Hacktivists, Terrorists, Criminals and Insiders.
There are three general categories of known vulnerabilities.
People get phished, share passwords, demand ease of use and inexpensive solutions.
Process relies on technology and people.
Tools (systems) are complex, aging, interconnected.
Success in cyber security risk management should not be defined as no breaches. It should be defined as managing risk in a way that minimizes breaches and responds successfully. In order to do that, there is a three-pronged approach you can use.
Identify high value assets.
Mitigate known threats and vulnerabilities.
Respond quickly and effectively.
One of the most important things an organization can do is increase their resiliency in the face of a cyber security breach. Resilience is the capacity to prepare for disruptions, recover from shocks and stresses and adapt and grow from a disruptive experience. The best way to do this is to continually evaluate your exposures and communicate post-breach plans with all relevant stakeholders on a regular basis. The technology landscape is continually evolving, which means cyber risk management will only grow in importance going forward.