How to Shift Your Cybersecurity Focus from Breach to Impact (& Manage Risk)

The recent cyberattack against Sea-Tac Airport highlights a shift in the cybersecurity landscape—from focusing primarily on data theft and related fallout to understanding the real-world impact of service disruptions. Increasingly, cyber attackers are targeting essential services and critical infrastructure, seriously impacting governments, businesses, and consumers.

An Incomplete Cybersecurity Paradigm

Many organizations today focus on breach prevention, patching vulnerabilities, and threat modeling, overlooking the potential business impact of service disruptions deemed too improbable to consider, despite their potential to cripple business operations. When the hacker group Rhysida executed a ransomware attack on the Port of Seattle/Seattle-Tacoma International Airport (SEA), or Sea-Tac, they accessed computer systems and encrypted some data access. To block further malicious activities, Sea-Tac disconnected their systems from the internet but refused to pay the ransom. While an appropriate response, this also significantly impacted port services, including check-in kiosks, Wi-Fi, ticketing, the Port of Seattle website, baggage, reserve parking, and the flySEA app. 

Similarly, the ransomware attack on Colonial Pipeline resulted in a days-long shutdown, impacting consumers and airlines along the East Coast due to fears of gas shortages and jet fuel shortages. The DarkSide hacker group accessed the Colonial Pipeline network, stole 100 gigabytes of data and infected the network. Colonial Pipeline chose to pay for a decryption key that enabled the company to resume normal operations, but the business impact was still significant. The ongoing healthcare system breaches are even more disturbing. Recently, ALPHV Blackcat infiltrated Change Healthcare, stole six terabytes of data and crippled financial operations for hospitals, insurers, pharmacies, and medical groups across the country. This attack directly impacted patients, delaying prescription fulfillment and care scheduling. Change Healthcare and parent company UHG estimate the overall breach costs could exceed $1 billion, comprising cyber impacts, medical expenses, and substantial legal fees. 

Focusing on Business Impact

Each of these attacks highlights why organizations cannot concentrate exclusively on vulnerability management or the probability of an event. Attackers increasingly target service availability, not just data theft. While each of these cases involved data theft, data loss is only a small part of the problem. When key technologies, such as networks or supply chains, fail, the resulting business impact may be massive. For instance, the CrowdStrike outage impacted organizations worldwide, costing Fortune 500 companies $5.4 billion in damages. To prepare for and mitigate the impact of such incidents, organizations must assess how similar disruptions could affect business operations, revenue, and customer trust. Gartner’s Hype Cycle for Cyber-Risk Management emphasizes the need to assess the financial impact of disruptions when making decisions about security investments and resilience efforts. 

A Cost-Benefit Analysis

It’s time for organizations to adopt a cost-benefit analysis approach to risk and resilience that aligns all stakeholders, from CISOs to the Board of Directors. This analysis must include evaluating the costs of implementing security measures against the potential benefits and risk reductions they provide. This involves identifying direct (hardware, software, personnel, training, ongoing maintenance) and indirect costs (productivity impacts and opportunity costs) and weighing them against potential benefits, such as a reduced likelihood of a successful breach, lower potential losses from incidents, improved customer trust, and compliance with regulations. 

A cost-benefit analysis enables your organization to better prepare for service disruptions (even if the probability of a specific incident occurring is technically low). No organization is immune from disruption, whether due to a cyber breach, a severe weather event, a worker strike, or an issue with a software update or a cloud service provider. The only way to prepare for such events is to increase resilience in your organization. 

Resilience strategies require time and money, but are essential for mitigating the impact of cyber disruptions and other incidents. Such strategies help leaders understand the costs that will reduce the impact of an incident, what costs cyber insurance may cover, and the potential losses your business could incur.

Practical Steps to Strengthen Resilience

For organizations seeking to improve resilience to critical service disruptions, here are five steps to get started: 

1.Identify mission-critical and core business functions and cyber risks that could impact these functions. Look for:

• Which things drive value at your organization? 
• What assets support them? 
• What can’t your organization function without? 
• What data must be protected at all costs?

The answers to these questions help you identify your mission-critical functions and determine where gaps exist that put those things at risk.

2.Analyze your risks from a financial perspective. Once you have identified risk scenarios, you can begin the process of systematically measuring their potential impact, estimating their likelihood, and quantifying the degree organization’s susceptibility to a successful attack.

3.Respond to identified risks. Prioritize your controls to reduce the likelihood of a risk occurring or reduce the impact if it does occur. Deploy multiple techniques to transfer, avoid, or mitigate your risks, such as using a managed security service provider (MSSP), transferring risk through cyber insurance, or taking a business venture or assets offline because the risk exceeds your tolerance level.

4.Manage your risk over time. Continue refining your risk analysis by tracking ongoing risk reductions as your control sets become more mature and the threat landscape changes. 

5.Communicate your risks. Translate risks into business terms your organization understands, enabling alignment with key stakeholders about how security controls help the entire company.

These steps sound simple, but they offer your organization a way to examine where business functions have real vulnerabilities and decide how to best address them.

A Continuous Cyber Risk Journey

Shifting your cybersecurity focus from breach to impact requires your organization to adopt a comprehensive cyber risk management program. This is an ongoing process that begins with an assessment, using established cybersecurity frameworks to identify control gaps and create a system of record across various functions and locations. Using this information, you can quantify risk and prioritize your mitigation strategy based on the potential impacts on your business. This cycle continually repeats, with communication occurring at every step to keep stakeholders informed and aligned. This ongoing dialogue helps secure buy-in and budget approvals and is integral to making cyber risk management a dynamic, evolving journey rather than a one-time effort.