Security By Design- Part 3

Home » Insights » Security By Design- Part 3

At the end of my last post, I promised to provide visibility into categories and types of risk, and to provide visibility emphasis into Cyber Risks and their systemic interconnectedness with and potential impacts on business operations. This will take more than a single blog post.

The most important consideration to fully embrace in understanding Risk to your Business today is that Digital and Information Technology Systems are the lifeblood of your business.  Even the simplest “mom and pop business” utilizes information technology, online tools, and services today.

Cyber Insecurity creates the opportunity for Business Interruption

Cybersecurity is a Business Decision

To start, let’s first explore categories of risk to your business.

  • Strategic Risks
  • Operational Risks
  • Financial Risks
  • Hazard Risks

Strategic risks are the things that can harm your business in a manner that impedes your business’s ability to achieve its strategic goals and objectives.
Operational risks are the things that can prevent your business from carrying out day-to-day operational activities in either small or large ways.
Financial risks are the things that have the potential to harm your business’s financials.
Hazard risks can harm your business’s physical assets and employees and contractors.

Every business faces a large list of risks in each of these categories.

Strategic Risks

  • Political
  • Economic
  • Regulatory
  • Market
  • Reputation
  • Leadership
  • Brand
  • Customer
  • Mergers & Acquisitions
  • Etc.

 

 

Operational Risks

  • Human Resource
  • Business Process
  • Technology
  • Supply Chain
  • Business Continuity
  • Channel Effectiveness
  • Customer Satisfaction
  • Health and Safety
  • Environment
  • Product and Service
  • Efficiency
  • Capacity
  • Compliance
  • Etc.

Financial Risks

  • Volatility
  • Currencies
  • Interest Rates
  • Commodities
  • Credit
  • Liquidity
  • Market
  • Compliance
  • Legal
  • Etc.

 

 

Hazard Risks

  • Natural Disasters
  • Terrorism
  • Shooter Events
  • Insurable Liabilities
  • Impairment of Assets
  • Health / Pandemic
  • Etc.

 

 

 

 

If you start to feel that risks surround your business, you are not alone.  James M. Kaplan et al. l, in their book “Beyond Cybersecurity, Protecting Your Digital Business”, provides extensive exposure to how every company is surrounded by risk.

The risk your company faces is also not yours alone; it extends and is extended to your company from throughout your extended business chain or value chain, including to and from you and your suppliers, customers, and attackers.

The World Economic Forum “Global Risks Report 2023” (in partnership with Marsh McLennan and Zurich Insurance Group) continues to report year after year that widespread cybercrime and cyber insecurity are among the top ten Global Risks in the short term (2 years) and long term (10 years). WEF reports, “Alongside a rise in cybercrime, attempts to disrupt critical technology-enabled resources and services will become more common, with attacks anticipated against agriculture and water, financial systems, public security, transport, energy, and domestic space-based and undersea communications infrastructure.  Technological risks are not solely limited to rouge actors. Sophisticated analysis of larger data sets will enable the misuse of personal information through legitimate legal mechanism, weakening individual digital sovereignty and the right to privacy, even in well-regulated democratic regimes.”

Business participants in this report rated the severity of Widespread Cybercrime and Cyber Insecurity as their fourth highest concern (rating Cost-of-Living, Natural Disasters and Extreme Weather, and Geoeconomic Confrontation as higher concerns).

Let’s get back to Cybersecurity and Cyber Insecurity: the Allianz Risk Barometer 2023 (prepared and published by the Allianz Global Corporate and Specialty Insurance company) reports that the #1 most important global business risk of concern to their clients is Cyber Incidents, including cybercrime, malware and ransomware causing system downtime, data breaches, fines, and penalties.

The Allianz Risk Barometer 2023 reports that Business Interruption is the most feared business risk, reflecting ongoing concern for the disruption caused by ransomware attacks, IT system, and cloud outages, and the threat of cyber war. “Severe Business Interruption can result from a wide range of cyber-related triggers, including malicious attacks by criminals or state-backed hackers, human error, or technical glitches. Allianz’s analysis of cyber-related insurance industry claims that it has been involved with over the past five years, Business Interruption is the main cost driver for 57% of claims globally and is a significant driver for the rising severity of claims, including from ransomware attacks, which have proliferated in recent years.  Hackers increasingly target both digital and physical supply chains providing opportunities to simultaneously attack multiple companies and gain additional leverage for extortion.  Cyber Business Interruption exposures are also growing with the trend for digitalization, as companies introduce new technology and live with the legacy of aging IT infrastructure and software.”

Cyber Insecurity / Cybercrime triggered Business Interruption is the most feared of all Risks.

Cyber Insecurity / Cybercrime enabled Business Interruption is the most feared of all Business Risks today because of the pervasive and persistent integration of digital and information technology systems within and between our business partners, customers, suppliers, employees and their families. The physical infrastructures supporting our businesses include electrical grids, water supplies, transportation systems and networks (trains, planes and automobiles), food sources and supplies, etc.  There is no aspect of our business and personal lives which are not Cyber interconnected today.

Cyber Connectedness is Pervasive

Cyber Business Interruptions, as a result, are Pervasive and Impactful.

Risk is an integral part of any business.  Risk is also an essential part of any business investment decision.

Risk + Investment should yield Desired Business Outcomes.

Thus: Cybersecurity is a Business Decision

This is why in my last blog post, I asked you to consider two questions:

  1. How much security do you need?
  2. As a business, what can you live without?

I also suggested that you could ask yourself a series of questions to help wrap your mind around “risk event triggered” loss with these questions:

  • Can your business survive a complete shutdown of business operations for one day?
  • Can your business survive a complete shutdown of business operations for seven days?
  • Can your business survive a complete shutdown of business operations for 14 days?
  • Can your business survive a complete shutdown of business operations for 21 days?
  • Can your business survive a complete shutdown of business operations for 28 days?

Also, as you consider the answers to these questions, you will most likely begin to “qualify” your answers from your perspective of “impacts” or impacts to your business or parts of your business.

In my next blog post, I will introduce the notion that we are all Risk Managers, taught by our parents and caregivers from birth.  I will also share perspectives on understanding Threats and creating a Threat Catalog.  This will set the stage to discuss how you may make decisions about how much security you need and, as a business, what you can live without. Along the way, I promise to further explore the emerging risk management model utilizing a fully integrative approach to identifying risk from a corporate director’s and senior leader’s perspective, which can be found in the DIRECTOR™ and RISCX™ Models.

Feedback and comments are welcome, as well as any specific Cybersecurity or Cyber Insecurity topic you might want me to comment upon.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s.  He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.

DISCLAIMER

Copyright ©2023 by DivIHN Integration Inc. | [email protected].

The creator of the document reserves all rights. Publication Date: July 2023. DivIHN Integration Inc. reserves the right to change the contents of this article, the features or the scope without the obligation to notify anyone of such changes. The content has been adapted using secondary research from various data points via “Google Search”. Infographics and Images used in the document are the property of the respective owners and have been used for indicative purposes only. The author reserves the right to authorize and use the Intellectual Property contained in the document.