Cyber Threats - Strategic and Operational Risks

The cyber threats we experience today have become frequent, complex and challenging. As such, their impact on organizations have increased substantially. Today’s impact is what has driven cyber risks and cybersecurity into the executive suite, and to become a frequent top for discussion at the board level. Many boards have taken a much more active role in their organization’s cybersecurity assessments, monitoring, defenses and response to attacks. All of this has led many organizations to determine that the risks they face from cyber today are both strategic and operational. 

A strategic cyber risk is generally defined as an area or areas of strategic importance within an organization’s strategy that could be impacted by a cyberattack, for example, competitive advantage or trade secrets. Top management consulting firms have recommended that organizations sharpen their strategic risk management capabilities. That is easier said than done. Many board members do not truly understand cyber risks.

An operational cyber risk is defined as potential interruptions and distractions that result in losses. Organizations are struggling with this type of risk each and every day. These are by far the most frequent types of events cyber security professionals have run into over the last few years. Human error, system and software flaws and criminal activity are just a few of the many operation cyber risks organization must face.

While the direct financial implications of these two types of risks are significant, there are other risks that are equally as concerning. Stop and think for a moment about the reputational damage an organization experiences following disclosure of a large breach or cyberattack. Add all of that to the financial damage if the organization is knocked off-line and cannot transact business or their operational data is encrypted and cannot serve their customers. We should not forget the regulatory fines that typically occur following a successful cyberattack. All of this adds up and takes its toll on an organization.

Given there are multiple reports that 60 percentage of small and medium size businesses go out of business within six months of a successful attack, it is easy to see why cyberattacks are a strategic risk. Last year, Forbes online published a study that showed a cybercrime incident in the United States costs a company an average of $15.4 million. Incidentally, that is up nearly 20% from the previous analysis. One has to wonder what the increase for 2016 will be!  By the way, ransomware attacks have to be a growing portion of that figure. Given the substantial increase in ransomware attacks that encrypt the organizations data and makes it unusable at least for a short time, the operational definition fits for this risk. I found it interesting that one mid-market organization was in consultation with the legal team about setting up a cryptocurrency account so that they would be ready to pay the ransom demands of future attacks. 

Stop and consider the implication on your organization if you experienced that magnitude of cybercrime impact. Would you get demoted, replaced or just out and out lose your job? Today, considering cyberattacks as both a strategic and operational risk is essential for CSOs and CISOs. With that in mind, it is easy to see why cybersecurity and cyber risks management issues are now on the minds of senior executives. They want hard facts and figures about the way you assessed the strategic and operational risks. As CSOs and CISOs work to develop their cybersecurity strategies, it is essential you keep in mind the increased visibility at the senior most levels of the company. Once the strategy is set, the CSOs and CISOs must also keep all of this in mind as they design, implement and operate their controls and cyber defenses. Using the strategic and operational modeling of your cyber risks positions you to properly present the risks to your executives and board members. It is highly recommended that you start these efforts today. After all, you can’t tell when the call will come to present your strategy for mitigating cyber risks to your executives or before the board of directors!