As I was perusing the news headlines on this Sunday morning of what to write on, it is was the usual same headlines. This was hacked into, that was hacked into, all of these passwords were stolen, blah, blah, blah. While I am not trying to diminish the gravity of what has happened, there comes a time when you can only write so much about the same thing.
So, after more searching, I came across yet another interesting news story (yes, another survey) which reveals a disparaging gap in the understanding of the real threats that take place in Corporate America. This will be explained further along in this blog.
According to a recent survey entitled the “BCI 2019 Horizon Scan”, it appears that Health and Safety incidents are the biggest financial losses for organizations, and in fact, they are even getting costlier than Cyberattacks.
The survey polled over 569 business entities from all over the world, and more details about it can be found at this link:
Also, for the first time since 2015, political uncertainty (especially as it relates to exchange rate volatility and the costs of borrowing) has also entered into the top ten list of potential risks that businesses and corporations face, along with Blockchain and Artificial Intelligence (AI).
But what is even more concerning, at least according to the survey, is that the gap between getting a clear picture of what the perceived risks and the actual risks has increased greatly when compared to the previous year, 2018.
So, what am I getting at here? Well, let’s take the example of the C-Suite at XYZ Corporation. They seem to have the understanding that they could be very well prone to a Cyberattack, though nobody can predict with certainty if this will actually happen or not. This becomes what is known as a Perceived Risk, because there is a strong belief that it could happen, but there has been no imminent financial loss yet that has transpired.
But then on the other hand, there are also threats that are occurring quite frequently at the XYZ Corporation of which the C-Suite at the XYZ Corporation is fully aware of, and is costing some real financial loss, such as the Health and Safety incidents that are transpiring on a frequent basis. This is what is known as a Real Risk, not only because it is really happening; but also, there is a negative impact that is occurring primarily from that of losing money.
But for some reason or another, the C-Suite is paying much more attention to the Perceived Risks rather than the Real Risks, and as mentioned, this difference is widening at an alarming pace. In fact, along with some of the other risks just mentioned, Cyberattacks have also entered into the top ten list of risks feared most by Corporate America; but the risks that are really happening have been completely under rated, and in fact, have barely even got any mention at all by the C-Suite.
Take for example again the Health and Safety Risks. According to the survey, on average, this costs Corporate America at least 7% off of the bottom line, with expenses coming in at over $1.2 Billion. But for some reason, this was rated as #12 off of the risk list and ranked even lower than Cyberattacks. So, what is causing this widening difference, and how come the C-Suite is not paying as much attention to it?
Well apparently, it all comes down to the issue of what is a
high profile attack. Apparently, the
C-Suite is much more worried not just about the financial impact of a Cyberattack,
but also the tarnished reputation it will leave behind for their organization.
For example, after a Cyberattack has occurred, more than likely, depending upon its degree of severity, it will be reported in the press, and from there, brand image will suffer, and more than likely there will be lost customers from all of this.
But on the other hand, unless it is a severe outbreak of some illness or disease, the Health and Safety issues that occur to organizations rarely get reported, thus they become a low-profile attack, and as a result, they get brushed away by the C-Suite. Unfortunately, it is this difference in media attention which is also yet another driving factor for the widening gap in the Perceived Risks versus the Real Risks.
Plus, there is another huge reason for this. Ever since last year, and even going into 2019, the C-Suite has been getting constantly hammered about their lack of awareness of the Cybersecurity Threat landscape.
For example, CIO’s and CISO’s have either been getting fired, or taking large unpaid leaves of absences if their organization has been hit by a Cyberattack. They are also just started to being held to higher standards in this regard than ever before by their respective Board of Directors.
As a result of this as well, the Rea Risks are getting brushed aside as well. In other words, the C-Suite is going from one extreme to another. I am sure at one point the Real Risks were a big point of concern to them, but given the publicity and the notoriety that Cyberattacks have been recently getting, the balance scales have now gone towards to this extreme.
There has to be a level of equilibrium here. Yes, to me personally, I think it’s great that the C-Suite has finally, at last, being held accountable for beefing up the Cyber lines of defenses at their organizations, but they also need to address the Real Risks which is costing them some serious money, even if it is not deemed to be “high profile” enough.
There is a new term for this, and it is called achieving Organizational Resiliency: “Identifying not only the big risks but also the under-rated issues that may just seem ‘business as usual’ and can easily be missed.” (SOURCE: https://www.securitymagazine.com/articles/89877-health-and-safety-incidents-become-biggest-loss-driver-for-organizations).
Finally, this survey did bring out the importance for a business or a corporation to have a strong Disaster Recovery/Business Continuity plan in place: From the organizations that were polled that had one, financial losses decreased by well over 6%.