As R.E.M. said it in their hit-song from their Automatic for the People album, Everybody Hurts … and everybody needs a risk plan to deal with it. We are pretty sure R.E.M. wasn’t envisioning their song would be a lead-in to a blog about enterprise-level risk management and cybersecurity, but then again, the year was 1992 and the world was not the same.
Since then, many real-world cyber-attacks on business organizations have made headlines, including …
- The massive (and massively-publicized) damage caused by the 2013 Target data breach
- The 2014 Sony Pictures hack
- The 2014 German steel mill hack in which the hackers spoofed inter-company emails to gain access to and override the controls of a blast furnace. (Large-scale damage to the industrial plant followed, but no lost of life).
- The Ukrainian power grid hack in 2015, the cyber-attack that made news headlines and called into question the safety and security of power grids everywhere
So what is enterprise-level risk management? For organizations, enterprise-level risk management involves identifying dependencies on enterprise capabilities, identifying defined threats, prioritizing risks, implementing countermeasure, and assessing enterprise performance against threats. The cybersecurity part of risk management is the relative newcomer to the array of risks out there. The Economist recently referred to cyber risk as the “silent” risk. Cyber-insurance, they reported, has only been around for about 15 years and insurers are in the midst of understanding, measuring, and calibrating cyber-threats. (Dec. 3, 2016).
From the lessons learned from past attacks on enterprise-level organizations, we know quantifying loss from a cyber-attack involves, at least:
- Internal investigation / forensics expenses
- Customer notification/crisis management costs
- Regulatory and other compliance expenses
- Technical remediation expenses
- Damage to reputation
So what can you do? In short, move towards full compliance with all government and industry standards involving safeguarding information and reporting breaches, get audited by a third-party, and insure your cyber-liabilities.
And remember (because I can’t get the R.E.M. song out of my head now) … It’s NOT the end of the world as we know it ….”
Sera-Brynn is a Global Top 10 Cybersecurity firm headquartered in Hampton Roads, Virginia. We are a team of certified compliance auditors, security engineers, computer forensics examiners, security consultants, security researchers, and trainers with in-depth expertise and decades of experience. Many of us come from the national intelligence and military information security community where we designed, protected, and countered threats to the most complex and sensitive network infrastructures in the world. We apply those skills, tactics and techniques to the benefit of our global private sector clientele.
Sera-Brynn’s clients include Fortune 500 companies, global technology enterprises, DoD contractors, state and local governments, transnational financial services institutions, large healthcare organizations, law firms, Captives and Risk Retention Groups, higher education, international joint ventures, insurance carriers and re-insurers, national-level non-profits, and mid-market retail merchants, all of whom rely on Sera-Brynn as a trusted advisor and extension of their information technology team.
by Colleen H. Johnson, Senior Cyber Legal Analyst