Risk over cost, why normal business risk analysis no longer applies to cyber security.

The ripples are still forming and they will be far reaching, after the largest credit card security failure happened in the states with global payments and visa. Over the weekend visa dropped Global Payments from their compliant companies and will not allow them to process card payments anymore. This is all well and good, but once again it is a case of closing the door after the horse has bolted.

A normal risk analysis for a business can no longer apply to the management of an organisations information, especially when it comes to customers details and even more crucially when it comes to credit card or critical personal data. Normal risk analysis is designed to mitigate the risk of something happening against what the cost will be and to put processes in place to make sure that the business is not liable for the loss.

This can no longer be applied to critical business and customer data and information that you have under your management. The cost to a business after an information breach is no longer based on how much it will cost in fines and getting the system back to a compliancy level. The risk has to include share losses if you are a listed company, government contracts if you are in that space and just normal everyday reputation for your business.

Global payments lost 10% in four days after they announced the breach of their online credit card payment system. We will probably find, like normal, it was either a lapse in judgement or complacency that caused the problem in the first place.

When are they, big organisations, going to learn that they cannot play fast and loose with other peoples critical information.

In the 80’s and 90’s we had a spate of problems with organisations, all over the world, who’s risk analysis would rather pay the cost of legal and fines than fix the problem before it happened or change the way they do business.

In today’s world if your organisation ends up in court over a security breach, I honestly do not believe that the business will come out of the court room as the same entity, whether they win or lose. The damage to reputation, court costs, public backlash and share prices would mean that the organisation would have to reinvent itself or close its doors.

So after my rant what am I saying?

Security of other peoples critical, information is paramount and it will become more and more important going forward. Any organisation, small or medium business, not for profit organisation or large conglomerate can no longer just apply standard risk analysis processes to system and cyber security.

Business risk analysis for cyber security is usually focused on 3 areas – Threat Assessment, Vulnerability Assessment and Criticality Assessment. The present system takes into account the probability of a security breach against the targeted information and calculates the possibility of it occurring.

Furthermore, using the five aspect of the decision tree to make a risk assessment, three of them are online and always vulnerable ( if you are storing your information digitally then it is in a larger criminal space than we have ever had before) –

  • location and crime level,
  • desire to conduct criminal activity and
  • the probability of criminal activity.

If you throw in the vulnerability of the information under your control, doing a risk analysis of your business data takes on a totally new aspect.

Any organisation cannot and should not be expected to do a complete risk assessment internally, they need external experts to complete the required analysis. The use of external experts also ensures an unbiased and focused look at the organisations and makes sure that the cyber security risk factors are managed correctly. This allows the board to make educated and correct management decisions based on facts within the organisation.

There needs to be a rethink or at least a re-education at the board and management level of business. The risk of a security breach far out-ways the repercussions of actually going through one. The additional cost to revenue, reputation, share price and most importantly, in today’s world, profit needs to be factored in.

This will change the security paradigm when applied to business, the additional cost to make sure that a business is compliant will far outweigh the cost of a security breach.

Thanks to Ian Bowyer, Manager Risk & Assurance at Queensland Rail for his most valuable input.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.

Leave a Reply