“That is fraudulent action based on somebody being misled, even though it was made possible by some element of a cyber compromise,” Stroz said. “The dollar losses that the FBI estimates are happening in this area are in excess of US$15 billion related to business email compromise.”
Stroz said when thinking of risk transfer, it was important not to think about the risk inherent in the device itself, which might only cost $1500, but to consider the overall risk once it is plugged in to a network, which could be enormous.
And even when there might be little conceivable reason why a company would be attacked directly, Stroz said it could still become a victim, as criminals had turned their attention to infiltrating their targets by compromising the systems of trusted partners – something he recently saw occur to an architectural firm where criminals were targeting the firms’ clients.
“You have to understand the risks your organisation might be exposed to, not just as the target, but as the victim, and you have to see it as an enterprise-wide risk to be managed,” he said.
Organisations should consider how much risk they could afford to be exposed to, and what investment they were willing to make to protect themselves. At that point they should then consider adopting a robust risk framework, such as that set out by the US National Institute of Standard and Technology (NIST), which made recommendations for how an organisation might be organised to prevent, detect, identify, respond and recover from cyber incidents. A framework is then used to guide managerial judgments using a risk-based set of priorities.
Stroz also suggested that company directors often needed help with this issue, as it post-dated much of their working lives, and recommended bringing cyber expertise into the board, either directly or through an adviser. The issues should be presented and managed in a jargon-free clear lexicon that allows the seasoned judgment of board members to engage.
“You have to see and treat cyber security as an enterprise risk management phenomenon, not an IT phenomenon,” Stroz said. “The territory you are in for managing this has legal implications for your company.”
“If you suffer a cyber incident, there is a good chance you will be sued, or the regulator will come after you. You’re going to need a lawyer, and the lawyer is going to need to settle these issues around legal concepts, not technical ones. And they will need evidence to back up their representations.”
Navigating through complexity
Addressing the new world order of cyber threats can be a complex task – but is doable. It encompasses a broad range of risks with the potential to harm assets, from property to brand and reputation.
As with everything, a holistic understanding of the challenges and a holistic application of the right solutions will be essential in building a resilient company that can meet the demands of a rapidly changing cyber landscape.