BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

For CFOs, Cybersecurity Risk Is Like an Iceberg

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 7 Jul 2015 19:25:24 -0600
http://ww2.cfo.com/supply-chain/2015/07/cfos-cybersecurity-risk-like-iceberg/

Prior to 2005, people occasionally speculated on what might befall New
Orleans if a major hurricane were to land. The conversation was merely
academic until the horror of Katrina played out in stark reality.

The naïve, pre-catastrophe state is very much like where we are today with
cybersecurity. The data breaches American businesses have experienced so
far are mere thunderstorms and nor’easters. Most of us have yet to suffer
the fearsome Big One.

Are we truly ready for bigger and more serious cyberattacks? Do we even
know what all the risks are? Many are obvious, but others are hidden. For
CFOs, cybersecurity risk is like an iceberg.

Above the waterline are the visible concerns: hackers, malware, and
valuable data. Many business leaders have done a pretty good job addressing
these vulnerabilities (not perfect, but pretty good). We’ve heeded our
boards’ concerns and sat down with our CIOs to shore up our technologies,
password practices, and email usage guidelines. By and large, employees
today know enough not to click on weird links from suspicious senders.

Hidden in the murky depths, however, are dangers that could really bring
down the ship: suppliers, partners, systems, and internal actors. To fully
protect a company, CFOs should lead it in a thorough review of these areas
of vulnerability.

Your suppliers. No matter how well you’ve secured your own business against
cyberthreats, you’re still exposed to risk through your partners. Let’s say
you’re a manufacturer: what if one of your key suppliers is attacked,
disrupting that supplier and your operations as well? In this way, a
cyberattack can look very much like the Thailand floods that roiled the
tech industry in 2011, making winners of companies with resilient supply
chains.

Although a supply chain disruption may not be your fault per se, that fact
doesn’t protect you from the repercussions. Smart companies will shore up
risks throughout their supply chain so that they can sail through potential
disruptions or bounce back before competitors. These are the companies
whose reputations grow – as does their market share, revenue and
shareholder value – during turbulent times. Unprepared companies suffer the
opposite fate. Be proactive in the enterprise risk management process in
ensuring the resilience of your partners and suppliers, and verifying their
cybersecurity certifications.

Partners. No matter how secure your supply chain, your service partners are
also points of vulnerability. What if hackers attack your bank, steal your
money, or seize your sensitive information? What effect will that have on
your business?

Systemic threats. A data breach is terrifying enough. You can lose customer
names, financial information, intellectual property, and private health
information. What we have not seen yet are cybersecurity’s unthinkable
property threats. What if a hacker gains control of the power grid, a water
treatment plant, or a blast furnace?

Internal threats. Firewalls used to keep the bad guys out. Now reality
forces us to accept the likelihood they’ll get in, either by phishing or
working for you. What do you do once the worm’s in?

Just as emergency flood response plans assume the water will come, and fire
drills assume there will be flames, CFOs need to ensure their companies
have plans that go far beyond the prevention of successful cyberattacks.
Plan for detecting them, containing them, expunging them and safely
resuming normal operations.

Cybersecurity, however, is a still-developing exposure, and there’s a lot
of unknown about the myriad ways a cyberattack can devastate a business,
much less a community or nation.

Many of American business’s cyber-risk management processes are based on
limited experience with past attacks, but it’s clear that more will come.
In some cases, there will be incidents that CFOs like us have yet to
contemplate or experience. These Big Ones will affect data, systems and
infrastructure in new ways. Profound ways. Are you ready?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: