The Iceberg Impact: Navigating the Full Scope of Cyber Risk in the Digital Age

Security Careers

Security Careers

6 min read
The Iceberg Impact: Navigating the Full Scope of Cyber Risk in the Digital Age
Photo by Long Ma / Unsplash

In today's interconnected world, digital technologies offer immense benefits and opportunities, from opening new channels to customers to improving efficiency. However, their use also exposes organizations to significant and evolving risks. The media regularly highlights examples of organizations suffering financial loss and reputational damage due to problems arising from their information technology systems.

Cyber threats are pervasive and agile, of national and international concern, and consequently, all organizations need to accurately assess their cyber risk exposure. For boards and senior executives, this is often seen from two polarized positions: the incredible opportunities offered or a recognized threat that is not properly understood. This document aims to de-mystify the subject of cyber risk for risk professionals and other professionals, particularly those working at board level.

Cyber Risk Through a Compliance Lens: Navigating the Regulatory Landscape
In the intricate digital landscape of modern business, managing cyber risk is not solely an IT challenge; it is fundamentally a compliance imperative. Organizations face an ever-growing web of regulatory and legal obligations. Boards and senior executives have explicit responsibilities to understand and manage their risk exposures as part of
Compliance Hub WikiCompliance Hub

Beyond the Breach: Understanding the "Iceberg Impact"

While data breaches and immediate financial costs like investigations or legal fees capture headlines, these often represent only a small portion of the true impact of a cyber incident. The sources describe this as the "iceberg impact" of a cyber loss. Much larger, more complex, and often uninsurable costs are hidden below the surface.

These significant uninsurable costs can include:

  • Reputational damage: Often driven by negative publicity associated with a breach. Social media, in particular, can rapidly amplify negative information.
  • Loss of customers: A direct consequence of damaged trust and reputation.
  • Stock devaluation: While some research suggests the long-term impact on share price might be reducing, data breaches can still damage market value.
  • Devaluation or loss of intellectual property: This can have a devastating impact and damage competitive advantage.
  • Loss of competitive advantage and market share.
  • Direct liabilities to third parties affected.
  • Regulatory censure and fines. The financial implications of a cyber loss are growing, with penalties set to increase significantly.

Accurately quantifying these broader, uninsurable costs is a challenge, but risk professionals need to be able to communicate the wider business impact of a cyber loss to senior management.

Key Areas of Vulnerability in the Digital Landscape

The interconnectedness of modern business creates multiple potential entry points and vulnerabilities for cyber threats:

  • Mobile Devices: Mobile devices are now part of everyday life, and the lines between business and personal use have become blurred, with implications for organizational security. Organizations must conduct a risk assessment fully cognisant of the criticality of the data being shared and stored on these devices. A "do nothing" approach poses significant challenges. Questions need to be asked about infrastructure support, data security, preventing data leakage, and policies regarding employee-owned devices.
  • Social Media: Social media can be a valuable tool for interacting with stakeholders, building brands, and gaining market intelligence. However, it is also a catastrophic threat if not managed properly. Risks include social engineering attacks leveraging personal information, oversharing of corporate information by employees or third parties, account hijacking, inability to control third-party content posted about the organization, and significant reputation damage. Organizations need clear policies, a multidisciplinary team, and active monitoring of their presence and what is said about them. Ignoring or banning social platforms is not the answer; integrating them into a secure strategy is.
  • Supply Chain and Extended Enterprise: Organizations are increasingly networks of interconnected parties including suppliers, distributors, regulators, and customers. Do you know who has your data or where it goes?. Effective governance of third parties is essential to data security, as breaches can be attributable to outsiders, often involving multiple parties. Due diligence processes are needed, potentially involving questionnaires, interviews, or on-site reviews, scaled according to the risk and importance of the data being handled by the third party. Contracts need to include incident reporting obligations.
  • Cloud Computing: Cloud services offer significant opportunities but also raise concerns over security and performance due to a lack of direct control over resources. The overarching conclusion is that the cloud doesn't inherently increase or decrease the risk profile; an effectively controlled environment migrated to the cloud will remain effectively controlled if controls stay in place.
  • Insecure Systems: Poorly secured systems, whether built internally or procured, can have a significant impact on the business. Failing to keep data confidential and available can lead to huge fines, loss of customers, or even business failure. Securing systems is complex, involving operating systems, databases, networks, and applications. Clear, specific security requirements are needed, and security should be integrated into the system design and development lifecycle.

Integrating Cyber Risk into Risk Management

Cyber risk is not purely a matter for the IT team. It is a business risk that should be properly dealt with within the organization’s overall risk management framework and processes. Effective governance arrangements are needed, with ultimate responsibility lying with the board. Boards should understand and manage their risk exposures as part of normal corporate governance.

Key aspects of managing cyber risk include:

  • Understanding the Risk: What is the value of the information held ("crown jewels")?. What is the potential impact if this information is stolen or corrupted?. Organizations need to accurately assess their exposure.
  • Governance: Boards should appreciate the business benefits of effective enterprise risk management, including its role in managing cyber threats. They need to be clear on who is responsible for managing risks, who explains them to the board, and on what information decisions are made. Governance structures may need to be dynamic and agile to react to real-time threats. Management information used to inform debate should potentially move towards a more real-time approach, including lead indicators.
  • Risk Appetite: Organizations need to consider their risk appetite in relation to cyber risks. Simply stating "no appetite for data loss" may not be realistic, as incidents are considered inevitable. The debate should aim to prevent the preventable.
  • Incident Management and Resilience: A data breach, deliberate or accidental, is considered inevitable. A robust incident response procedure needs to be in place and tested to minimize financial and reputational damage. Organizations need to know how they will detect attacks, who has the authority to declare an incident, and have plans for containment, victim notification, communication, and potentially specialist support. Business continuity plans should include cyber risk scenarios. The first question customers, shareholders, and regulators will ask after an attack is, "What did this institution do to prepare?".
  • Training and Awareness: Investment in training and awareness is a very effective way to mitigate a number of cyber risks. It's suggested that inadequate attention to risks may contribute to potential breaches being overlooked. Training helps bolster the "human firewall". It should go beyond just technology and consider the individual and the organization, supporting learners after training.
  • External Intelligence: Intelligence from outside the organization, through networks, scanning, and public reports, can assist in managing cyber risk. Information sharing between government and industry, as well as among businesses, helps understand and respond to threats and raise barriers to attacks.

Investing in Cyber Security

An effective information security programme requires investment in people, process, and technology. Developing the business case for this investment often requires demonstrating a suitable return on investment. Beyond risk mitigation, a successful programme can bring benefits such as greater organizational awareness, internal transparency, clear regulatory compliance, demonstration of strong business practices to investors, improved business performance, and competitive advantage.

Conclusion

Cyber risk is not a static, purely technical problem. It is a dynamic, pervasive business challenge that requires a comprehensive, organization-wide approach deeply integrated into the risk management framework. By understanding the full "iceberg impact" beyond direct costs, accurately assessing risks, investing in robust governance, incident preparedness, secure systems, and training, organizations can face up to the risks and better protect their critical data, reputation, and long-term viability. With the right approaches, organizations can mitigate a significant portion of threats and safely seize the opportunities the digital age brings.

Read more