While business risks abound, including intensified cybersecurity attacks, the impact of rapid technological advances and increasing regulations, there are healthy ways to uncover and mitigate risks.
Organizations are moving away from a siloed approach to reducing operational risks. Instead, they are seeing success with an integrated risk management (IRM) strategy.
IRM brings more data and business intelligence into the equation. By integrating risk intelligence with business intelligence, IRM lessens uncertainty and improves business decision-making.
To understand the full scope of risk, proactive organizations require a comprehensive view across departments, technology, and processes to determine their overarching risks and how to best handle them- whether to avoid their implications or drive value and determine the opportunity.
NAVEX Global’s recent survey of IT security professionals inquired about the state of risk alignment in their organizations. Respondents reported that IT and cybersecurity risks were broadly considered a part of their organization’s overall risk profile. In fact, 95% said their organizations include cybersecurity within their IRM approach.
Breaking It Down by Industry
Industries that rated “strong” collaboration between IT security, operational risk management and the compliance function include Banking and Finance (97%), Healthcare (96%), Engineering and Manufacturing (90%), and 78% in Science and Pharmaceuticals. This research is not necessarily surprising as empirical evidence points to these industries as the most targeted by threat actors and attackers.
Financial Services
On the Boston Consulting Group (BCG) report, cyberattacks hit financial services firms 300 times more often than other companies. A cyberattack on a bank can devastate its customers and systems and, a cyberattack on the US Treasury (which SolarWinds came dangerously close to achieving) could bring down the country.
Healthcare
As the healthcare industry continues to offer life-saving services while improving treatment and patient care with new technologies, threat actors look to exploit the vulnerabilities associated with these continuous changes. According to the HIPAA Journal’s May 2021 Healthcare Data Breach Report, this May was the worst month of the year regarding the severity of breaches, with 6,535,130 healthcare records breached.
Manufacturing
Trends such as the Industrial Internet of Things (IIoT) are driving manufacturing plants to facilitate more connections between the physical process world and the Internet. Unfortunately, this connectivity exposes the previously isolated operational environments to cyberthreats. According to the Manufacturers Alliance for Productivity and Innovation (MAPI), 40% of manufacturing firms experienced a cyberattack last year.
Pharmaceutical
The average cost of a data breach in the pharmaceutical industry is $5 million, according to
IBMs Cost of a Data Breach Report, 2020. The Ponemon Institute reports that it takes an average of 257 days to identify and contain a breach in pharma. Additionally, one significant effort stands out for the pharmaceutical supply chain - the COVID-19 vaccine. Specialists have warned that the process of manufacturing and distributing the vaccines presents several vulnerabilities. Specialists have warned that the process of manufacturing and distributing the vaccines presents several vulnerabilities.
Simple Steps to Take Today
Create a security-conscious culture: The easiest point of entry for a cyber threat is a single person. Texts, voice mail messages, phishing and other social engineering attacks that take advantage of humans being “human” and are at greater risk of being exploited when an organization doesn’t maintain regular training, awareness, and a secure network. Teach employees to understand cyber threats and the best practices to protect confidential information and critical systems. A security awareness program encourages and enables employees to play an active role in your overall security strategy. Forrester's research suggests that 70% of breaches are due to employees' lack of cybersecurity awareness.
Data Backup: Backup data regularly and separate it from the production environment. For example, in case of a ransomware attack, the victim can recover encrypted information from a tested backup. Keep in mind that any corruption to data gets copied with it, so a solid collection of backups going back as far as viable or to the last "known good-state" is best practice.
Make a Plan: Prepare now for what to do in the event of a breach, and practice executing it. Make sure you have a plan for what to do with your data in case of an incident. An incident response plan should consider the immediate actions a company needs to take. This plan may include shutting down or locking your computer systems, moving your information to a backup site, or physically removing essential documents and sensitive materials.
