×

According to the Global Risk Report of 2021 by the World Economic Forum (WEF), cyber risk challenges ranked fourth in the list of most pressing dangers the global economy faces today. More and more firms face IT incidents and breaches, with the average cost of a data breach being around $3.86 million in 2020 and taking 280 days on average to identify and mitigate.

The COVID-19 pandemic and the resulting shift towards cloud and remote work has heightened the potential vulnerabilities in IT and cybersecurity infrastructure, processes, and systems.

Today, employees of a single organization are spread across the globe, often logging into their work systems from unsecured or even public networks. Moreover, the enterprise today is extended, and most organizations work with multiple external vendors, suppliers and other third parties, thus opening up a new avenue for a range of IT risks and cyber risks to enter the system.

In this article, we provide a holistic overview of IT risk and cyber risk, elaborating on the definition, the need for organizations to manage them, the different IT cyber risks and vulnerabilities affecting firms, and the regulations and standards followed. We also discuss the best ways to create a robust framework protecting against IT risks and cyber risks, the role of a CISO in mitigating IT risks and cyber risks, and the best practices an organization can follow to stay ahead in this scenario.

What is IT & Cyber Risk?

PwC defines cyber risk in the following terms: “Cyber risk is any risk associated with financial loss, disruption, or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems.”

Expanding on this definition, the risk from a compromised IT and cyber breach extends beyond monetary and data losses and today encompasses risks to productivity, intellectual property, and more.

IT risk and cyber risk can arise from both external and internal sources. Common cyber threats from external sources such as malware, ransomware, distributed denial-of-service attack (DDoS) attacks, and phishing can all contribute as sources of cyber risk. Internal sources such as malicious insiders and employee and third-party mistakes can also serve as a source for IT risk and cyber risk.

To mitigate cyber risks, the IT and cybersecurity functions work as the core of the data security strategy of a business entity. The IT component safeguards data and information systems. For example, those with unauthorized access cannot modify or steal sensitive business information due to a set of protocols that have been put in place to enable Information Security. This helps an organization mitigate and manage both external and internal cyber risks.
 

Why is it Important for Organizations to Take Steps to Mitigate IT Risk and Cyber Risk?

As business entities rely on greater technology and internet usage, IT Risk and Cyber Risk has compounded with miscreants becoming sophisticated in the tools they use. By taking steps to mitigate IT risks and cyber risks, an organization can:

  • Protect its Data: “Data is the new oil.” We have all heard this statement before. Data is the most important asset in the current technology-driven economic system. Having robust frameworks and policies for IT and cybersecurity protects sensitive data from theft, manipulation, and misuse. For example, many cyber attackers are using zero-day exploits today to compromise organizational data with recent examples such as the Microsoft Exchange Server data breach of 2021. Zero-day attacks are called so because they appear out of the blue, and not ensuring information security in such cases can prove to be very costly.
  • Ensure Regulatory Compliance: Owing to numerous data breaches in critical sectors such as finance and healthcare, regulatory compliance regarding customer and client data has tightened in recent years. Devising and implementing IT and cybersecurity policies in alignment with pertinent regulations helps the organization to create a healthy business environment and prevents legal issues due to lapses in compliance. Indeed, for enterprises operating in the Banking and Financial Services sector, ensuring IT security is a basic compliance requirement.
  • Minimize Business Disruption and Economic Losses: The economic costs of inadequate IT and cybersecurity coverage are staggering. McAfee pegs the loss due to cybercrimes to the global economy currently at around $1 trillion. Organizations lose significant business due to downtime and disruptions caused by IT and cyber breaches. Investing in IT and cybersecurity is mandatory to ensure business continuity and operations.
  • Minimize Reputation Losses: Reputation is the holy grail on which businesses thrive. According to a report by Forbes, as many as 46% of organizations were affected in terms of damage to their reputation on account of data breaches. This figure increases when third-party security breaches are also accounted for, highlighting their interconnected nature. Thus, businesses need to consider IT and cybersecurity in terms of upholding reputation and brand image, and the subsequent effect that this has on their revenues. This intangible component is also the most commonly overlooked aspect of IT security today.
     

What are the Common IT & Cyber Risks and Vulnerabilities Affecting Business Entities?

The risks and vulnerabilities associated with IT and cybersecurity are getting increasingly sophisticated and the traditional means of anti-virus software and firewalls are no longer sufficient to provide required safeguards.

User behavior is cited as a major vulnerability where the use of unsecured networks and devices and poor end-point visibility create easy entry points for cyber attackers leading to breaches such as account takeovers and Man-in-the-middle attacks. Further, social engineering attacks such as phishing and spear phishing account for a significant portion of cyber risks.

Once an infiltrator gains unauthorized access, disruptions are caused by Denial-of-Service, Distributed Denial-of-Service through the installation of ransomware, the most severe one being the REvil Attack on Kaseya VSA in July 2021. Attacks of this variety are classified at levels APT 10- Advanced Persistent Threats of extreme severity. An analogy would be the constant exposure to gunfire in an open war zone.

What are the Guidelines and Compliance Standards for Ensuring IT & Cyber Compliance?

Regulations and compliance standards are usually industry-specific such as HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS (Payment Card Industry Data Security Standard) for Healthcare, and BFSI and Retail respectively. The following guidelines by ISO and NIST cover a range of industries and serve as the basis for ensuring IT and cybersecurity compliance.

ISO 27001: ISO 27001 is part of the International Standards Organization (ISO) ISO/IEC 27000 series that deals with standards for information security. ISO 27001 specifically centers around enabling the framework for information security through an Information Security Management System (ISMS). The core of the framework focuses on risk identification, assessment, and treatment through the implementation of security safeguards. For example, it includes physical controls such as using CCTV and alarm systems in the organization.

NIST Cybersecurity Framework (CSF): The NIST CSF framework takes a proactive approach and helps build a strong cybersecurity posture through its five core functions - identify, protect, detect, respond, and recover. Each of these functions has categories and subcategories as well as references. For example, under the “identify” function, Asset Management is a category and physical devices and systems inventory within the organization is a subcategory. Further, NIST CSF has four tiers that serve as benchmarks for organizations.

NIST SP800-53: This NIST framework provides a list of standards and guidelines for information systems in operations, management, and technical domains. These guidelines are multi-tiered, classified into low, moderate, and high controls based on the risk impact. It also introduces baselines that can act as starting points for organizations to secure their information systems and infrastructure.

SOC 2: SOC 2 is applicable to all technology service providers and highlights the criteria for information security specifically focusing on the safety and privacy of customer data. This framework is based on five trust principles which include security and availability along with processing integrity, confidentiality, and privacy.
 

How do I Create a Robust IT & Cyber Risk Mitigation Framework?

The first step towards developing a robust IT and Cyber risk mitigation framework is understanding that the domain itself is ever-changing. Sporadic attacks of the past originating from the Dark Web have now been replaced by structured, state-sponsored attacks with the very specific aim of causing establishments to collapse. With that context in mind, cybersecurity is a business priority and is no longer in the domain of the IT team alone. Therefore, a good cybersecurity and information security framework takes into account every individual within the organization, the context of the organization itself, and the landscape of threats and risks surrounding it. Then, it uses this context to suggest cybersecurity best practices in ways that are unobtrusive to business as usual.

Specifically, here are the steps that can be followed to create a robust IT and cybersecurity framework:

  • The Core of the framework defines the organization’s current cybersecurity posture and recommendations for where the organization needs to be. Insights are derived from various internal and external stakeholders to come up with the Core. For example, an organization that works with multiple external vendors exposes itself to a greater risk of data pilferage and must therefore have stronger protocols in place to prevent such incidents from happening.
  • The Implementation Tiers take this process to the execution stage. For example, Tiers help define which assets serve as the organization’s Crown Jewels and must therefore be included in phase one of security coverage. Implementation Tiers also suggest the best practices to be followed on the basis of the organization’s risk appetite.
  • The Profiles within such a framework make up the third and final component of a robust cybersecurity framework. They set the vision for each department’s and function’s stake in cybersecurity, and how they can take the first step towards better coverage. It is often at the Profiles stage that organizations choose to make investments in tools and technology, or a SoCaaS model, to help them better manage their cybersecurity operations.
     

What is the Role of a CISO in IT & Cyber Risk Assessment and Compliance?

The Chief Information Security Officer (CISO) is the executive, usually at the leadership level, responsible for the development and implementation of all policies and procedures related to Information Security in an organization. One of the most important tasks taken up by them is measuring and managing IT risk and cyber risk.

Not all organizations have a dedicated CISO position but the responsibilities of this position can be entrusted with executives in the same domain.

Core responsibilities of the CISO or lead Cyber Security executive include:

  • Ensuring end-to-end security strategy by contributing to its design and implementation including areas such as evaluation of the risk landscape, devising suitable policies, and facilitating compliance standards in the organization.
  • Creating and delivering training programs and workshops for employees to increase their awareness of risk and vulnerabilities and reduce the scope of human error.
  • Building resilience for systems and infrastructure within the organization in situations of crisis and disasters whereby disaster recovery along with business continuity is ensured. The CISO needs to establish strong channels for communication and superior methods for risk assessment and mitigation.
  • Ensuring the documentation of policies, programs, and best practices and their regular updation and dissemination across the organization along with gathering insights and feedback on the same and their implementation.
  • Assisting in evaluating the tradeoff between business opportunity and security risk with new projects, clients, and partners by regularly communicating with the top management executives.

Depending on the organizational need, the CISO may also be required to take up additional functions such as coordinating with external providers including third-party vendors and suppliers, helping create an organizational culture geared towards security, and undertaking financial reporting in view of security as well as business goals.
 

What are the Best Practices to Ensure Effective IT & Cyber Risk Management?

There are several steps that can be taken by a CISO and their teams to ensure the effective mitigation and management of risks. Their role also entails gaining leadership buy-in to make cybersecurity a priority without any delay.

  • Gaining board and investor buy-in is often a significant factor in cybersecurity risk management. Since the best outcome for this practice is that ‘nothing happens’, several large organizations fail to see it as a larger business priority. Changing this outlook would play a major role in ensuring that all levels of the organization understand the risk landscape well.
  • Regular and periodic training of employees regarding security threats and protocols is the next step in ensuring organizational alignment with Cybersecurity risk mitigation. No assumptions must be made about user behavior, and all employees must be kept updated on the threats facing their organization, and the simple steps they can take to prevent an attack.
  • Often, several risks in this space can be managed well with the simple act of updating systems and endpoints on time. No security patch must be left out on any device, and any device behavior that is abnormal must be reported immediately.
  • Quantifying cyber risks in monetary value through cyber risk quantification, where cyber risk can be communicated in dollars and cents, further helps bring the right perspective to cyber risk enabling boards and executives to better understand cyber risks’ exposure while empowering executive teams to prioritize cyber investments better.
  • Adopting next-gen solutions that provide innovative features such as intuitive dashboards and reports, assessments to manage IT risks and cyber risks, intelligent content libraries, and issue and remediation management can help organizations gain real-time visibility into IT risk and threat exposure, enabling them to adopt appropriate mitigation measures through contextual risk information across processes and assets.

Frequently Asked Questions

The threat landscape has undergone significant changes in the last decade, and this change is only being accelerated further by the pandemic. As an example, ransomware as a service, or RaaS, is a fairly new concept. This operation is run by an elite, highly qualified team of hackers working for the State to identify opportunities to deploy extremely sophisticated attacks on unsuspecting organizations.

Information security and IT risk, access controls, and ensuring business as usual operation are the three fundamental priorities for a CISO today. In addition, keeping the board fully up to date on information security and cyber risk concerns is also a priority.

In terms of IT risk assessments, CISOs face a unique challenge. Large-scale migration of the workforce from one organization to the other is a reality today, and this means that information and access need to be provided and revoked at scale on a daily basis. Moreover, with workers placed remotely, sophisticated entity behavior analytics are necessary to ensure that any anomalies in behavior are immediately reported to a central database.

Both these priorities have a role to play in ensuring business continuity, as the smallest hint of a breach can cause ripple effects across departments, functions, and even in client systems.

Every industry has unique data security challenges. The healthcare industry has access to sensitive information which if stolen and made public can impact the individual’s privacy, as well as access to basic necessities such as insurance coverage. The eCommerce retail industry is growing extremely fast today and is therefore collecting large quantities of data about customers. A breach in such a system would expose nearly everyone on the planet to a cyber threat of some kind.

Likewise, the manufacturing industry has recently been on the receiving end of several targeted attacks that have brought down supermarket chains, halted global supply, and caused prices of some commodities to shoot up due to a shortage of supply.

Automation can help run information security processes at scale, and free up the time and effort of a human resource in running a 24X7 system. Automation in the context of User Behavior Analytics also adds a layer of impartiality to the process, a common issue with manual-only systems, particularly at scale.

Products such as the MetricStream IT and Cyber Risk Management and IT and Cyber Compliance Management empower organizations to adopt a focused, business-driven approach to managing and mitigating IT and cyber risks. IT security compliance with set regulatory standards is ensured at all times, including the creation and distribution of reports as appropriate, and helping the Information Security team stay abreast of changing compliance norms.

Cyber risk quantification is another powerful analytical tool that can drive actionable insights into risk exposure. Using powerful algorithms and building on models such as the FAIR® Model, CISOs can view their cyber risk in dollar terms.

MetricStream’s Advanced Cyber Risk Quantification and Simulation, uses quantifiable mathematical modeling to help organizations accurately understand, analyze, and address their cybersecurity posture, to enable risk-informed cybersecurity investment and cyber risk management decisions. Organizations can measure, manage, and report cyber risk in monetary value – in actual currency terms. The tool, which is based on MetricStream Intelligence—an advanced analytical and AI engine that enables multiple scoring models and data science tools—allows the creation of multiple types of models and variables, unlike other companies that focus only on the FAIR® risk quantification model.

Related Stories

Cluster

A Comprehensive Guide to Cyber Risk Quantification

Cluster

The Importance of a Robust Cyber Risk Management

Cluster

A Comprehensive Guide to Environmental, Social, and Governance (ESG) Practices

Ready to get started?

Speak to our experts