The threat of cyber attack is a growing concern for everyone who uses the internet. It cost the global economy half a trillion dollars a year, nearly 2% of total economic output. Data shows that over 1% of large businesses experience a major loss from a cyber event each year. And the problem is global, with attacks being reported in over 180 countries.
The threat comes from seven main categories of cyber attackers working anonymously in the black economy. Each has their own objectives, capabilities, methods of working, and business model. Understanding how these threat actors could target your organisation is vital. In solving cyber risk, three authors with extensive experience in cybersecurity and risk management analysis demystify the processes of how cyber causes loss and the principles of keeping this risk manageable.
Risk is the chance of loss. What we do in this book is to present a framework for quantifying the losses from cyber attacks and to estimate the likelihood of them.
The costs and benefits of investments in cybersecurity are not obvious unless you follow a risk management framework.
And what is really interesting and fascinating is that the most cost-effective cybersecurity measures are not necessarily what you think they are.
Assessing the potential impact of different scenarios on your organisation before they occur enables you to set your loss tolerance for cyber attacks.
It’s definitely worth estimating what different types of cyber attack scenarios could do to an organisation and just how likely they are. In the book, we set out some management exercises that help people think through the impact, a potential impact on their business, and just the effectiveness of different security strategies.
In addition to solving the cyber risk for individual organisations, it is important to consider the fundamental causes of cyber risk.
Cyber risk exists principally because hardware and software have errors. Some of those errors can be vulnerabilities. Some of those vulnerabilities can be exploited. And those exploits lead to the cyber risk. These are the ghosts in the code.
Vulnerabilities in software are a major issue for cyber risk. Funding and patching vulnerabilities is critical to reducing the risk.
These vulnerabilities are hunted for by malicious actors. And they use them to accomplish a lot of the problems of cyber risk. So there’s sort of an arms race for us to find them quicker than the bad guys do.
The problem is that there is a lot of this code that’s being written for the Internet of Things. And those products are getting out there very quickly. And they pose a safety risk and a security risk and a privacy risk to all of us.
The problem doesn’t end there. Even when software companies produce a patch that closes a vulnerability, companies are often slow to instal it. Cyber risk is a problem for the whole of society. It affects us all.
Cyber risk poses a threat not just to our businesses, but also to our economy, our democracy, and our continued way of life.
Cyber attacks could also trigger even greater crises for our society.
So we estimate there’s about a 1 in 100 chance each year of a cyber attack that could cost more than $1 trillion to the global economy.
It is not enough for every company to protect itself. We need to tackle cyber risk across the board.
We need to address cyber risk by coming up with a number of strategies.
The technology industry in general needs to sell safe, secure, private software or hardware. And it needs to make that transparent to everyday users so they can make sensible risk decisions.
It’s important that companies adopt a cyber safety culture. And it’s also important they adopt cyber security best practise.
There’s a need to upgrade law enforcement to meet the needs of the cyber age.
We need to destroy the business model for cyber threat actors and make alternative career choices more attractive.
In a way, cyber problems are too big for any one organisation to solve on their own, or even one country. We’ve known for many years that it needs a cross-border collaboration and international institutions to coordinate this global problem.
These changes will require significant political will, investment, and changes to the way we do things now. But the changes are needed. Cyber risk is a problem that affects everyone. Together, and only together, can we solve cyber risk.