The cyber risk gap
As the number of digital transactions dramatically increases, so does the risk and likelihood of cyber-attack. This means that organisations handling large amounts of sensitive data are more likely to become targets of hackers who are looking to exploit this information which is stored within corporate networks. As a result, businesses find themselves increasingly exposed to what is referred to as a ‘Cyber Risk Gap’ caused by a combination of factors, outlined below.
Today you are a target of opportunity and a target of choice - it just depends on the day
There are countless ways for threat actors and hackers to penetrate Corporate IT systems, with the potential to cause considerable damage to businesses located anywhere in the world. Malicious attacks, such as ransomware, were prolific throughout 2017, one of the most notable being WannaCry. However, even with all the public furore around WannaCry, we know that thousands of organisations still run the majority of their computers on outdated operating systems, which nearly triples the chance of a data breach.
Following WannaCry, we released a report titled “A Growing Risk Ignored: Critical Updates”, which analysed more than 35,000 companies from industries around the globe looking specifically at the use of outdated computer systems and practices and the correlation to data breaches. We found that there are large gaps in asset management programmes and that organisations clearly need to be more vigilant about limiting their attack surface in order to more rapidly address exploitable vulnerabilities.
And just to add to this, while we are made aware of high-profile attacks, like WannaCry, this is really just the tip of the iceberg. There are many other forms of malware for sale that lurk in the shadows of the deep and dark web (DDW) that go unreported. According to Carbon Black’s ‘The Ransomware Economy’ report, there were more than 6,300 dark web marketplaces selling ransomware, with 45,000 product listings in 2017.
What these trends show is that cybercriminals are exploiting opportunities to enter the ransomware market and obtain malicious methods of attacking businesses that are easily deployable and offer attractive returns on investment. It shows that cybercrimes continue to pose a growing problem for organisations. The fallout from some of these threats are publicised and receive extensive media coverage, but many go unreported. Often it is too late for businesses with outdated operating systems and browsers to do anything about it. Companies need to take a more proactive approach to updating their systems, as we will no doubt see even larger attacks again in the future. Boards are now waking up to the fact that cyber security is not just a technology issue anymore, it is a business risk too.
Expansion of the Digital Supply Chain
Compounding this issue is the fact that organisations are doing business with more vendors than ever before — their ecosystems are expanding to include third and fourth parties. This means organisations are taking on the risk of potentially hundreds to thousands of business partners. Third and fourth parties are liabilities because they can access your IT network. As the supply chain fragments, it has become much easier to do business online. However, the downside is that businesses are at a greater risk of exposure to insecure supplier networks.
Most organisations handle this with a cyber risk assessment process that is labour intensive, qualitative in nature and unable to scale. When creating a risk management strategy, it’s important to have assessment processes in place that can scale to meet the growing number of vendors that work with your business. Traditional approaches to threat assessments, such as penetration tests and questionnaires, tend to be qualitative and episodic. They are only able to analyse risk at a certain point in time. While an important part of the risk management process, these labour-intensive activities are unable to scale to meet the volume and timing requirements of the current risk environment.
Regulatory environment that focuses the mind
The impact of regulation very much depends on the industry sector, but most organisations will be subject to some kind of regulation, and often this is not taken into consideration from a cyber-risk perspective. Regulations that encompass all industries, such as General Data Protection Regulation (GDPR) which comes into force on 25th May this year, will need to be part of any organisation’s cyber risk management programme. In fact, Article 32 in the GDPR states that organisations that collect personal data must have rigorous due diligence processes to ensure that appropriate controls are in place before sharing data with third parties.
It is critical that organisations put into place assessments that are qualitative, quantitative, and continuous. While proactively mitigating risk, it’s crucial to have a standard measurement tool when looking at both internal and third-party risk. Here at BitSight we help organisations transform how they manage information security risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings, to help manage third party risk, underwrite cyber insurance policies, benchmark performance, conduct M&A due diligence and assess aggregate risk.
Well-known, independent analyst firms are in agreement. According to Gartner, 80% of security risk management leaders are being asked to present to senior executives on the state of their security and risk programme and 75% of Fortune 500 companies are now expected to treat vendor risk management as a Board level initiative to mitigate brand and reputation risk. And Forrester is recommending that CISOs gain a deeper understanding of Security Ratings, “as companies look to improve how they handle and mitigate third and fourth party risks, security ratings and other third-party risk intelligence services take centre stage.”
In today’s uncertain environment, the Board is requesting updates more than once a year and this has led to the emergence of security committees. As a result “risk” is now a permanent Boardroom agenda item and one that will gain a lot of scrutiny from senior executives going forward. So make sure that you have your cyber-risk gap covered.
Tom Turner, CEO, BitSight