The threat of cybercrime is a risk that has increased substantially over the past several years. According to an industry risk analysis report by Allianz, in 2016, cyber risks ranked third out of the top business risks, compared to a rank of 15 in 2013. Even more alarming is that, according to the McAfee Center for Strategic and International Studies, cybercrime costs the world economy about $445 billion annually.
As our dependence on electronic shared data increases (e.g. online shopping, cloud technology), so does our exposure to cyber risks. Despite such alarming trends, many organizations are approaching this risk with little to no strategy, which makes them that much more vulnerable.
I am currently working on a report on cyber risk with a university in Austria. We’ve interviewed executives in over 50 organizations in the United States and Europe, and our preliminary findings reveal some startling patterns of decision-making when dealing with cyber risks.
According to our research thus far, these patterns revolve around three misconceptions that managers embrace.
Misconception #1: Cyber Risk is an IT Issue (vs. a Cross Functional Problem)
Many organizations assign the task of dealing with cyber threats to their IT department. A successful cyber attack can have an organization-wide impact on the operations, marketing, or logistics departments, as well as other functional areas within the organization. It can lead to a disruption in production, delays in shipments resulting in stock outs, or possible negative effects on the brand equity of the firm or its products. In order to fully understand this risk with its potential impact across the organization, there has to be a concerted effort by top management to deal with this risk using an enterprise-wide approach. Isolating this task in the IT department alone will not provide a comprehensive risk management strategy that can effectively deals with such risks.
Misconception #2: Organizational Focus (vs. Supply Chain Focus)
The second pattern that emerged revealed a focus of addressing cyber risks as they relate to that specific organization, without taking the entire supply chain network into account. Cyber attacks can be directed at the company itself, but in many cases, are also directed at another supply chain member who which is connected to the same network. There are many cases where companies were breached due to a breach at their third party service provider. Organizations like Target, Home Depot, Fiat Chrysler, T-Mobile USA, IRS, CVS, Costco, Sam’s Club, Boston Medical Center, and others have all suffered cyber attacks because their third party providers were compromised.
Another issue that is present in supply chains, and that could result in higher risks of cybercrime, is bad outsourcing decisions. Such decisions are believed to cause 63% of the data breaches that take place in different supply chains. Reducing a company’s risks from cybersecurity threats can no longer be viewed in isolation; rather, this should be addressed as a network-wide problem. Organizations can outsource activities through a third party, but they can no longer outsource the risk. A successful attack at a supply chain member affects all other organizations in that network. Working with critical supply chain partners is key to understanding the source of the risk and setting effective plans to manage those risks.
Misconception #3: Assessing Cyber Risks Qualitatively (vs. Quantitatively)
Many organizations use a qualitative approach to assess and quantify risks. Examples include color-coded systems, or a standard 2x2 matrix displaying occurrence vs. potential impact on a qualitative scale. The problem with such approaches is that they do not reveal any useful information that could be used by managers for decision-making.
This is even more problematic when trying to address something as complex and evolving as cyber risks. A risk that is considered as “high” may be interpreted differently across various units of the organization, or across different countries if the organization has a global presence. A quantitative approach would assign a numeric figure representing a probability. Potential impact would be assigned a range for potential costs. This can be easily simulated using different methods, such as the Monte Carlo simulation. ________________________________________________________________________
Cyber risks are a clear and present danger to all organizations - a threat that will continue to rise. Managers should re-think how they address this kind of risk by designing a risk management plan with the involvement of key personnel from different areas within the organization, not just from the IT department. This plan should also focus on addressing the risk from a system-wide or supply chain perspective. Finally, a more quantitative approach should be utilized to accurately assess the potential risks. ________________________________________________________________________
Ayman Omar is an Associate Professor in the Department of International Business and a Research Fellow at the Kogod Cybersecurity Governance Center (KCGC). His research interests focus on global supply chain management, specifically targeting areas such as supply chain integration and responsiveness, cyber risks in global supply chains, and sustainability in global supply chains. Prior to receiving his Ph.D., Prof Omar worked in the oil industry and conducted several consulting projects for a wide range of corporations including many Fortune 100 companies as well as small privately owned firms.