Article Synopsis :
Predictions for the aggregate global cost of cybercrime vary, but the numbers are huge. Correspondingly, the amounts companies are expected to spend to protect themselves is also large, approaching $1 trillion annually on a global basis by 2022.
Despite the clear recognition of the risk that cyber-crime and cyber-terrorism present to both individuals and companies, there are areas of hidden cyber risk that are either missed in audits or deprioritized due to the impact addressing them would have on a company’s operations. This in-depth report from Oliver Wyman explores ten of the more common ‘hidden’ cyber risks prevalent in large and mid-sized organizations and offers suggestions on how to address them. The ten focus areas include:
- End-User Computing
- Business Intelligence Tools
- Robotic Process Automation
- Business Process Management
- Second Tier SaaS Applications
- Shadow IT
- Developer Infrastructure
- Public Cloud
- Orphaned Applications
- Hidden Applications
At a high level, to comprehensively understand cyber risk, it’s critical to consider a business process view to unearth hidden risks that may not be well understood when only asset and threat vector evaluations are performed. Only then can cyber risk be comprehensively managed across the entire organization.
Practically, the report recommends four key actions:
Action point #1: Know what user capabilities are out there across your organization: For End-User Computing and robotic applications, a key first step is to understand the cyber risk these create for your organization. The second step is to identify all the applications that contain sensitive or critical information (i.e., ‘crown jewels’) and ensure there are limitations on the ability for EUCs to access them directly, or large blocks of information to be extracted from them and moved to EUCs.
Action point #2: Apply the data related controls where they matter: It’s essential to understand and ultimately inventory the classes of underlying data being called upon and processed by business intelligence tools and ensure the right controls are in place regarding the capture and distribution of the data; be it in raw form or processed. This requires an understanding of which data is sensitive (or potentially attractive to bad actors) in such classes as Non-Public Information (NPI), Material Business Information (MBI) or which collectively represent ‘crown jewels’ of the enterprise.
Action point #3: Build a data security mindfulness culture: Again, dealing with datasets that are sensitive and potentially valuable to outside parties requires the application of due controls and a positive degree of education by the enterprise regarding data security mindfulness. Where data analysts are aware of the sensitive nature of the data they are privileged to access and process, they are much more likely to take disciplined steps in the handling of such data.
Action point #4: Establish the right base of knowledge about your IT assets and keep it current: Essential to protecting data and reducing or mitigating cyber risk is a clear understanding of the technology landscape and componentry through which data is sourced, processed and distributed. What is unknown is difficult to protect. There are many CMDB (Configuration Management Database) tools available to help keep track of organization assets. The key here is to have the accountabilities and discipline in place to maintain an asset management arrangement to effectively combat cyber threats.
Bottom line: Effectively evaluating a company’s cyber risk requires establishing a comprehensive inventory of technology and data assets, understanding key process and workflows, and deciding an acceptable risk appetite in the trade-off between business flexibility and cyber security.
Link to Full Article:: click here
Digital Insurer's CommentsOnly recently has the full extent of the recent ‘NotPetya’ malware attack come to light. Here’s a list of the approximate damages reported by some of the worm’s biggest victims (source: Wired):
- Merck: $870 million
- FedEx: $400 million
- Saint-Gobain: $384 million
- Maersk: $300 million
- Mondelez: $188 million
Total estimated damages: $10 billion. That’s serious money. Are you as serious about your cyber security as you should be?
Link to Source:: click here