In a study conducted by Forrester, less than half of IT security leaders were able to measure or quantitatively understand their organization’s level of risk. Only 51% of the 400 heads of security that were surveyed could identify their organization’s level of risk from a business perspective.
Before diving into why these statistics are problematic, we should first dive in to what terms like risk management, measuring risk, and reducing risk really mean. Unfortunately, risk management is often seen as something theoretical, rather than a measurable business element that organizations should strive to identify and reduce.
What is cyber risk management?
In looking at several definitions of risk management, we settled on one:
Risk management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings. These risks stem from a variety of sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters.
Many cybersecurity professionals struggle to place a value on systems, litigation costs, brand damage costs, ransomware costs, data loss costs, compliance penalties, and all the other variables that can arise from a cyberattack.
However, just as security analysts try to predict the expected outcome of an investment using concrete variables, cybersecurity professionals should work with the rest of the organization to place a value on company assets and the impact a cyberattack could cause on those assets.
A successful cyber risk management program helps an organization consider the full range of cybersecurity-related risks it faces. It should also look at the relationship between those identified risks and the impact they could have on the company's success.
Why cyber risk management is a challenge
In another study, Forrester surveyed 410 professionals responsible for identifying and managing risk and compliance, working at companies in the U.S., UK, Australia, and New Zealand, with more than $500 million in annual revenue.
Forrester found these organizations recognize that being able to proactively identify and mitigate risks in real-time is critical for resilience—especially in a world of increasing risks and complexity. Yet 42% of the surveyed risk and compliance decision-makers said they improvise on risk management.
"We don't manage risks so we can have no risk. We manage risks so we know which risks are worth taking, which ones will get us to our goal, which ones have enough of a payout to even take them," said Forrester Research senior analyst Alla Valente, a specialist in governance, risk, and compliance.
The goal can't be to eliminate all risk but to understand your tolerance for risk and align with that.
Aligning security and business objectives
Travelers, the global insurance behemoth, offers cybersecurity insurance coverage for cyberattack losses. The organization conducted its own survey asking executives about their cybersecurity best practices.
These are some key takeaways:
- 51% purchased a cyber insurance policy (up from 39% the previous year)
- 49% executed a risk assessment across their IT infrastructure (up from 45%) and 41% did so also for their vendors (up from 37%)
- 74% updated their computer passwords (up from 71%)
- 47% created a business continuity or disaster recovery plan in the event of a cyberattack (up from 38%)
These numbers are positive as they're all trending upward, making it clear that cybersecurity is becoming a business priority.
However, additional research from Forrester found that just 40% of security leaders can answer with a high level of confidence: "How secure, or at risk, are we?"
Heather Vallis, a principal consultant at Forrester who led this project, says only 66% of business leaders say they were, at best, only somewhat confident in their security team's ability to answer that question.
The core issue? "Business and cybersecurity strategies are seldom on the same page," Vallis says. "Strategies are created in a vacuum, security leaders have an incomplete view into enterprise assets, benchmarking is limited, and cybersecurity metrics often lack business-risk context."
Managing risk as a smaller business
As a cybersecurity company, we understand that security responsibilities are often time-consuming and difficult: patching, vulnerability assessments, penetration tests, configuring security products and firewalls, and going through almost endless system logs leaves little time to calculate risk.
This is especially true for smaller businesses that often have limited resources.
In fact, Electric surveyed senior business executives at U.S. organizations with under 500 employees to understand their cybersecurity maturity and assess their experiences with cyberattacks.
The researchers found that "limited cybersecurity resources are a leading risk factor in small businesses becoming a target, so it is concerning that just one-third have access to dedicated cybersecurity specialists. Outsourcing to an external security company is a popular choice as these providers have a deep bench of diverse talent or access to third-party specialists."
Start by understanding common cyber risks
Phishing is the tactic of choice for most cybercriminals. The Electric survey above found that most business leaders (83%) have received a phishing email. 81% say others at their company have been targeted.
Ransomware is another common occurrence among survey respondents. 26% of organizations have been targeted with ransomware, of which 60% paid the ransom involved.
In total, 47% of small businesses fell victim to cyberattacks last year, with phishing, password hacking, and adware the most common.
Not only is the frequency of cyberattacks on the rise, but the tactics used are becoming increasingly sophisticated. As more businesses—small and large—transform digitally, the attack surface is growing. Without the right defence measures in place, even minor breaches can quickly snowball into large attacks with equally large impacts.
Relying on a cybersecurity partner
Cyber risk management includes calculating the expected financial damage from attacks and the return on security investments. To effectively manage risk, it's important that organizations find the level of security investment that protects them without financially draining them.
That balance may change depending on the organization itself, the costs of security technology, and more. What won't change, however, is that an organization’s cyber risk should be a boardroom priority.
The good news is you're not alone. Field Effect offers a variety of cybersecurity solutions and services to help businesses reduce risk and increase security. Covalence, our managed detection and response solution, holistically protects businesses by addressing active threats and vulnerabilities that increase risk.
Ready to effectively manage your cyber risk? Learn more about Covalence today.
