Information and communication technology (ICT) is everywhere in our personal and professional lives today, and enables most of our daily activities, from business to government, plus education and our social lives. The COVID-19 pandemic has increased our dependence on this technology exponentially, given the rise in working from home for many professionals and schooling for tomorrow’s leaders moving online.
This increased dependence on technology comes with a corresponding increase in cyber risk. Greater awareness and understanding of this cyber-related risk, and its potential impact(s) is fundamental to prioritization, preparation, and mitigation of the effects of resultant vulnerabilities. Awareness of related impacts and “related, but unintended consequences” is an important aspect of these considerations as we navigate today’s internet-connected world.
Internet of Things and Interconnected Devices Increase Efficiency and Risk
The Internet of Things (IoT) is the network of physical objects embedded with sensors, software, and other technologies to connect and exchange data with other devices and systems over the internet. The most common examples of IoT devices include cell phones, smart TVs and watches, as well as commercial security systems, and industrial traffic- and weather-monitoring systems.
IoT and internet-connected devices have provided us enhanced connectivity, functionality, and the improved ability to gather information and perform automation. The number of IoT devices is constantly increasing, with an estimate that there will be 41 billion internet-connected devices by 2027. Given the convergence of our dependence on ICT and emerging reliance on IoT, a heightened awareness of cyber risk is critical to ensuring that risks arising from the use of these technologies do not outweigh the benefits they bring to achieving the goals of our most important organizations, including work, school, and government.
Security is Paramount in the Connected World
As the world increasingly becomes interconnected through ongoing advances in ICT and IoT, there is an equivalent need to increasingly take additional measures to protect our operating environment and maintain a perspective on security that ensures we maximize the benefits of networked technology while minimizing the adverse impact that can arise from its use.
The following list represents just a few examples of how our enhanced ICT, IoT devices, and other information technology-enabled capabilities are just as vulnerable as they are beneficial.
In 2017, the failure to patch a two-month old vulnerability led to a breach of a major U.S. credit bureau, resulting in the theft of private records of 163 million people, and over $70 billion in lawsuits.
In 2019, a ransomware attack called “LockerGoga” hit a Norwegian aluminum manufacturer, resulting in tens of millions of dollars in damages and forcing the company to revert to manual operations for many important functions globally.
From 2006 to 2018, in a cyberattack dubbed “Cloud Hopper,” threat actors alleged to be from China’s intelligence services breached the networks of several major U.S. cloud service providers, allowing for the exfiltration of sensitive data from more than 45 technology companies in at least a dozen U.S. states, and U.S. government agencies.
Understanding Risk As a Foundation to Security
Since our society will almost certainly adopt the latest technologies to make our lives easier and businesses more successful, we increasingly take on more risk any time an IoT or information technology asset is utilized. Understanding this risk is crucial to effective mitigation to an acceptable level to maintain the security of the organizations we rely upon.
Cyber risk is defined as any risk associated with financial loss, disruption, or damage to an organization's reputation from operational failure or data loss, and unauthorized or erroneous use of its information systems. It is very common for organizations to overestimate their cybersecurity posture and accept risks for the sake of mission or business objectives. Knowing your cyber risks and your organization’s risk tolerance is critical, along with understanding how to prepare and allocate your resources to ensure that your exposure to cyber risk is mitigated appropriately based on objective evidence.
How Can We Apply Risk to Doing a Better Job of Cybersecurity?
Effective risk mitigation does not always require a technical (asset) solution—the common response of adopting the latest firewall, or Security Information and Event Management tool may not be sufficient to mitigate the ever-increasing threat of cyber actors evolving and adapting in step with the latest technologies. Addressing cyber risk is just as much a business concern as it is a technology issue and warrants an organization-wide response that is not limited to the concerns of the technology team.
Applying proper cyber risk strategies and governance will help your organization evolve, and once proper cyber risk management concepts are employed, your organization will limit the likelihood of a cyber event from occurring and increase the probability of a successful response should an incident occur.
Understanding Cyber Resilience
Cyber resilience integrates cybersecurity with business and mission priorities to enable organizations to make informed and prioritized cyber risk decisions to support strategic and operational business objectives. Traditional risk management conducted in most organizations is not conducted holistically and is often compartmentalized. Cybersecurity activities need to be applied universally across the entire organization’s enterprise, from a cyber architecture as well as a cyber hygiene perspective, and enable cybersecurity risk and resource decisions to occur at all organizational levels, informed and prioritized by business goals.
Cyber Resilience Requires Communication of Cyber Risk Data at All Organizational Levels
Each organization can be broken down into three tiers to understand its current state of cyber resilience. Cyber risk can occur and impact organizations uniquely at each of these tiers. At the top (Tier 1), the organization or enterprise view encompasses executives and decisions that affect the people, processes, and technology that compose the whole organization. Second, the business line or mission (Tier 2) view of how people, processes, and technology are charged with carrying out the organizational level decisions. Finally, Tier 3 represents the project and systems view, focused on individual information technology assets and their associated processes and the people that utilize them to fulfill those processes.
Organizational View (Tier 1)
Senior leadership sets organizational and business priorities and ultimately owns risk and liability.
Executives must have a clear picture of enterprise cyber risk to enable a full range of actions (e.g., commit additional resources and communicate business risks to shareholders).
Business Line View (Tier 2)
Business line owners need technology that balances scale, speed, and security to carry out their business functions.
Business line owners need to understand the cyber risk impact of their performance in order to make informed risk decisions, and communicate with organizational leadership.
Projects and Systems View (Tier 3)
Security teams must understand business objectives to prioritize IT security objectives accordingly.
Security teams must communicate to business leads the potential impact on business goals of potential cybersecurity risks and vulnerabilities.
Cyber Resilience Benefits
More effective mission fulfillment resulting from the integration of cybersecurity, business continuity, and technology resilience.
Minimal disruption to organizational objectives in the event of an incident.
Optimizes risk management of organizational mission, technology, supporting data, and staff.
Components of Cyber Resilience
Cyber resilience is a holistic approach addressing cyber risk proactively at all three tiers of the organization. This proactive approach is carried out primarily through the following:
Carried out during the assessment phase, this provides clarity to business and mission owners, what technology and data needs are required for mission fulfillment.
Cyber Risk Governance
The cyber risk governance phase takes effective action to develop the strategies, policies, and guidelines needed to mitigate your identified cyber risks.
Assessment, Analysis, and Continuous Monitoring
These actions are essential to understand the drivers in the cyber risks your organization faces, along with the indicators of change or continuity of your risk posture.
Scoring and Reporting
After the required data is obtained and analyzed, it is of great benefit to stakeholders to create tailored outputs for proactive risk mitigation and preparedness to initiate action and therefore, change within the organization.
Rapid advances and the introduction of new technology has created new challenges for many organizations. As vendors rush to market to beat their competitors, addressing cybersecurity concerns of new technology often lags the delivery of the capabilities. Consumers are most concerned with obtaining a new capability and may assume that security is automatically built-in. In addition to the need to balance security with incorporating emerging technology into existing security and governance structures and processes, new cyber risks, threat vectors, and critical dependencies have a greater impact on organizations than ever before. The adoption of new internet-connected technology must be effectively managed with a mission-driven approach to fully understand the business impacts of technology exposure to ensure cyber resilience for the organization.
Before you, or your organization, consider plugging in a new IoT asset, it is vital to understand the greater mission context, which is accomplished through holistic cyber resilience. Remember, if you connect it, protect it. And most importantly, understand the risks.