Note: Saya Contributing Writer Mark Shriner is based in Tokyo, Japan. He is the Country Manager of adaQuest, a Microsoft Cybersecurity & Compliance Partner. This article are his thoughts on the subject of cyber risk and business risk.
Many organizations continue to view cybersecurity solely as a risk to their IT assets and data, and thus the responsibility of their IT team. However, it is becoming increasingly common to take a broader view of cybersecurity and cyber risk. Over the last few years many companies have started to view cyber risk as business risk.
This is important because when cyber risk is viewed as an IT risk, the responsibility for protecting digital and IT assets is often silo’d with the IT and, or, compliance team(s). However, the most effective way to reduce cyber risk is to treat it as a risk to the entire enterprise and to foster a corporate culture that prioritizes cyber security.
Cyber risk can be defined as the potential damages, loss, or business interruption caused some type of cyber threat. A cyber threat is anything that can cause damage or loss to an organization by exploiting a vulnerability in its IT system.
But, while traditionally companies were focused on the potential damages to their actual IT system which could result in a disruption of business operations or the loss of data, the reality is that cyber risk includes much broader and potentially longer lasting problems.
In addition to operational risk, the inability to operate mission critical and business critical systems, companies also face reputational risk as well as legal and compliance risk.
Reputational risk and damage can be difficult to measure precisely, but it can lead to, and include, a loss of customers, lower employee morale, increased employee turnover, and lower company valuations.
For example, a consumer poll conducted by BrandIndex showed the retail giant Target suffered a 54.6 percent* drop in consumer perception during the 12 months following its 2013 breach which resulted in the loss of credit card information for 41 million customers. What that equated to in lost sales is hard to quantify, but surely it was substantial.
Compliance and legal risk can be easier to quantify as fines and settlements are awarded in nominal amounts. In the above case with Target, the company had to pay a multi-state settlement of $18.5 million in 2017 for the 2013 breach.
Additional examples of compliance risk include the €50,000,000 fine that Google Inc. was assessed on January 21, 2019 by the GDPR regulatory body in France, and the announcement by the ICO of its intention to fine British Airways €204,600,000 under GDPR regulations for inadvertently allowing its website to divert visitors to a bogus website setup by hackers to steal customer data.
When the potential damage to business operations, morale, customer loyalty, and the potential fines and settlement costs are considered, it is easy to see that cyber risk is really business risk and something that corporate leadership, employees, shareholders, and even customers should be aware of and concerned with.
In my next article, I talk about some non-technical steps companies can take to mitigate cyber risk and reduce their exposure to potential cyber threats.
Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place. Curating and producing relevant content, our learning platform will begin in Los Angeles and Tokyo, expanding into Asia Pacific (APAC), Latin America (LATAM) and Africa. Join the movement. Our 3rd Cybersecurity Awareness & Diversity Summit will take place in Japan in 2020. (The Tokyo Summit)