Cyber Threats Are Evolving. Is Your Risk Management Strategy?

Mitigating cybersecurity risk isn’t just a pure IT management challenge anymore. Information security must now be a collective responsibility shared with other departments, including legal and compliance but also procurement and supply chain. That’s because the nature of cyber threats are evolving well beyond the cyber realm.

One study found that more than half (56%) of cybersecurity incidents are partially or entirely the result of supply chain attacks, which have surged in recent years, and are projected to cost the global economy almost $81 billion annually by 2026.

Digital attacks like AT&T’s third-party data breach may be top-of-mind when business leaders think of cyber threats right now. But physical supply chain attacks and geopolitical tensions are prompting state-backed hackers to target trade flows, putting shipowners, ports and other maritime groups on cyber criminals’ hit lists. A decade ago, physical cyber threats were rare — only three were reported in 2014. But last year, there were at least 64 — many linking to Russia, China, North Korea or Iran, and those are just the ones we know of.

As cyber threats evolve — and risk domains like cybersecurity and geopolitics, among others, continue to overlap — so, too, must risk management strategies.

Cybersecurity

The CISO’s Journey From Digital Defender to Compliance Champion

by Frank Balonis

October 8, 2024

Navigating the nexus of cybersecurity, global regulation & operational resilience

Read moreDetails

The new mindset to managing cybersecurity risk

A proactive security posture begins with improving your threat visibility and awareness. Third-party risks don’t happen in a vacuum. Cyber is just one of many priority risk domains your company should be watching. Business leaders need a more holistic approach and mindset to managing cybersecurity risk to navigate today’s evolving threat landscape.

Getting real about where the threats really lie

Since a majority of cybersecurity attacks emanate from a company’s supply chain, it’s only prudent that risk managers conduct a thorough investigation of each and every supplier, vendor and other supply-chain partner that may enter its extended enterprise, either digitally or physically. Due diligence checks include confirming a company’s cyber/information security protocols and standards, if they have been involved in recent data breaches or other security incidents and if they are financially and operationally sound.

Collapsing data silos

Now more than ever, information sharing across departments is critical to improving cybersecurity awareness and threat response. By centralizing data across risk domains and the teams that traditionally monitor them, organizations can better identify and manage cross-domain risks before they become disruptive and prevent threats from slipping through the cracks.

Diversifying your network

Remember CrowdStrike? Consider the risk of relying heavily on a single vendor for critical operations. Diversifying helps minimize disruptions during unexpected breaches, attacks or even outages like the one that halted so many industries from travel to healthcare this summer.

Not ignoring risk scoring, but not solely relying on it either

Risk ratings are just one tool in the risk manager’s toolkit. They provide an instant score of a third party’s security posture, such as when they fail to meet due diligence requirements for industry frameworks. However, they shouldn’t be the sole factor in evaluating suppliers. Risk ratings can augment third-party due diligence checks, but businesses should rely on multiple sources of risk intelligence. This includes tailored risk assessments or surveys, risk rating and scoring metrics and other third-party sources to enrich their understanding of their suppliers’ risk exposure, rate prospective vendors against benchmarks and determine if they are willing to accept companies at certain risk levels.

Continuous monitoring: Risk never sleeps. Continuous monitoring of risk domains, suppliers and third parties enables decision makers to get ahead of risk events and implement contingency planning. You won’t be able to prevent every threat from emerging or risk event from occurring, but you can receive early warning and improve your security posture from reactive to proactive.

Managing vendors throughout the relationship: Effective vendor management requires careful attention to access controls at all stages of the arrangement. During onboarding, organizations should implement a secure process for exchanging necessary information and granting appropriate system access. Equally important is the offboarding process when a vendor relationship concludes. Organizations must ensure that all sensitive data is accounted for, access permissions are promptly revoked, and any residual financial or informational risks are mitigated. 

It’s time to adapt the cybersecurity risk management playbook to tackle today’s evolving threat landscape. Millions of dollars, private data and public trust are at stake. Operational resilience hinges on a company’s ability to enhance the breadth and credibility of their risk intelligence, improve data sharing and threat visibility across departments, diversify their vendor network and continuously monitor their extended enterprise for new and evolving threats.