Cyberrisk and cybersecurity have come of age. From the board and management, to the chief information officer and the chief audit executive, organizational leaders typically now discuss cyberthreats not solely as an IT problem, but as a fully fledged business risk. And this elevation of concern and attention is introducing not just new ways of understanding the persistent threat of cyberattack, but different, more dynamic ways of addressing the exposures it creates.
Survey after survey ranks cyberthreat among the top 10 risks that keep business executives awake at night. But bracketing off the risk in this way is no longer relevant. Take the Allianz Risk Barometer on Business Risks 2014, for example. It lists cyberthreat separately from business interruption and supply chain risk; loss of reputation and brand value (from social media and elsewhere); and theft, fraud, and corruption. But risk from cyberattack arises in these areas too, meaning that the problem cuts across almost 80 percent of all business activities the survey identified.
That is one reason why the scale of the threat is hard to quantify. Cyberattacks cost the world economy between US $300 billion and $1 trillion in 2013, compared to US $600 billion from drug trafficking, according to software company McAfee. Jeffrey Kosc, partner at business law firm Benesch, Friedlander, Coplan & Aronoff, says the cost of a single data breach can include anything from the expense of fixing the problem that caused the loss and dealing with business interruption, to the legal costs of handling any investigations launched by state and federal regulators, the fines they may impose, and the class action lawsuits filed by people whose data may have been compromised.
"People forget that compliance with security procedures does not always mean you are secure," Kosc says. In particular, throwing money at large security systems is likely to be just the beginning of the costs businesses face if they are not also being proactive and continually improving their security approach.
What businesses need to focus on are the specific types of attack they face today and the weaknesses inherent in their business practices, culture, and IT systems. Internal auditors armed with such knowledge can help management develop better controls and assess their effectiveness. But internal auditors also need to be engaged at a more strategic level, knowing what the board's approach to security is, working proactively with systems administrators, and getting involved with new IT implementations at an early stage. Because internal auditors work across all areas, they are ideally placed to understand cyberthreat as a business risk and help the organization tackle it effectively.
The main threat most businesses face comes from two umbrella...