Security By Design- Part 3

Strategic Risks

• Political
• Economic
• Regulatory
• Market
• Reputation
• Leadership
• Brand
• Customer
• Mergers & Acquisitions
• Etc.

If you start to feel that risks surround your business, you are not alone.  James M. Kaplan et al. l, in their book “Beyond Cybersecurity, Protecting Your Digital Business”, provides extensive exposure to how every company is surrounded by risk.

The risk your company faces is also not yours alone; it extends and is extended to your company from throughout your extended business chain or value chain, including to and from you and your suppliers, customers, and attackers.

The World Economic Forum “Global Risks Report 2023” (in partnership with Marsh McLennan and Zurich Insurance Group) continues to report year after year that widespread cybercrime and cyber insecurity are among the top ten Global Risks in the short term (2 years) and long term (10 years). WEF reports, “Alongside a rise in cybercrime, attempts to disrupt critical technology-enabled resources and services will become more common, with attacks anticipated against agriculture and water, financial systems, public security, transport, energy, and domestic space-based and undersea communications infrastructure.  Technological risks are not solely limited to rouge actors. Sophisticated analysis of larger data sets will enable the misuse of personal information through legitimate legal mechanism, weakening individual digital sovereignty and the right to privacy, even in well-regulated democratic regimes.”

Business participants in this report rated the severity of Widespread Cybercrime and Cyber Insecurity as their fourth highest concern (rating Cost-of-Living, Natural Disasters and Extreme Weather, and Geoeconomic Confrontation as higher concerns).

Let’s get back to Cybersecurity and Cyber Insecurity: the Allianz Risk Barometer 2023 (prepared and published by the Allianz Global Corporate and Specialty Insurance company) reports that the #1 most important global business risk of concern to their clients is Cyber Incidents, including cybercrime, malware and ransomware causing system downtime, data breaches, fines, and penalties.

The Allianz Risk Barometer 2023 reports that Business Interruption is the most feared business risk, reflecting ongoing concern for the disruption caused by ransomware attacks, IT system, and cloud outages, and the threat of cyber war. “Severe Business Interruption can result from a wide range of cyber-related triggers, including malicious attacks by criminals or state-backed hackers, human error, or technical glitches. Allianz’s analysis of cyber-related insurance industry claims that it has been involved with over the past five years, Business Interruption is the main cost driver for 57% of claims globally and is a significant driver for the rising severity of claims, including from ransomware attacks, which have proliferated in recent years.  Hackers increasingly target both digital and physical supply chains providing opportunities to simultaneously attack multiple companies and gain additional leverage for extortion.  Cyber Business Interruption exposures are also growing with the trend for digitalization, as companies introduce new technology and live with the legacy of aging IT infrastructure and software.”

Cyber Insecurity / Cybercrime triggered Business Interruption is the most feared of all Risks.

Cyber Insecurity / Cybercrime enabled Business Interruption is the most feared of all Business Risks today because of the pervasive and persistent integration of digital and information technology systems within and between our business partners, customers, suppliers, employees and their families. The physical infrastructures supporting our businesses include electrical grids, water supplies, transportation systems and networks (trains, planes and automobiles), food sources and supplies, etc.  There is no aspect of our business and personal lives which are not Cyber interconnected today.

Cyber Connectedness is Pervasive

Cyber Business Interruptions, as a result, are Pervasive and Impactful.

Risk is an integral part of any business.  Risk is also an essential part of any business investment decision.

Risk + Investment should yield Desired Business Outcomes.

Thus: Cybersecurity is a Business Decision

This is why in my last blog post, I asked you to consider two questions:

1. How much security do you need?
2. As a business, what can you live without?

I also suggested that you could ask yourself a series of questions to help wrap your mind around “risk event triggered” loss with these questions:

• Can your business survive a complete shutdown of business operations for one day?
• Can your business survive a complete shutdown of business operations for seven days?
• Can your business survive a complete shutdown of business operations for 14 days?
• Can your business survive a complete shutdown of business operations for 21 days?
• Can your business survive a complete shutdown of business operations for 28 days?

Also, as you consider the answers to these questions, you will most likely begin to “qualify” your answers from your perspective of “impacts” or impacts to your business or parts of your business.

In my next blog post, I will introduce the notion that we are all Risk Managers, taught by our parents and caregivers from birth.  I will also share perspectives on understanding Threats and creating a Threat Catalog.  This will set the stage to discuss how you may make decisions about how much security you need and, as a business, what you can live without. Along the way, I promise to further explore the emerging risk management model utilizing a fully integrative approach to identifying risk from a corporate director’s and senior leader’s perspective, which can be found in the DIRECTOR™ and RISCX™ Models.

Feedback and comments are welcome, as well as any specific Cybersecurity or Cyber Insecurity topic you might want me to comment upon.