What are the initial cyber security attacks that first come to mind? Often they’re connected to unpredictable events that have severe impact and consequences, like large data breaches or ransomware. These ‘high impact, low probability’ incidents are called black swan events.
These types of events are concerned with stealing all your data, or making your business unable to operate. Publicity on cyber attacks through the media is centred around these types of events, and so is the cyber security industry. They all focus on the black swan events.
It’s understandable why they do… they have the potential to cause significant consequences. However, the less interesting day-to-day events get overlooked as it makes for a more eye-catching headline if a company has thousands, or millions, of records stolen, or if a ransomware event affects hundreds of companies and not just one.
Black swan events shouldn’t be the main thing you worry about, as by focusing on the ‘worse case’ scenario, it could prevent you from realising what your best case scenario is. This may mean you aren’t managing your risk appropriately as you are excluding the everyday events from your focus.
How likely are they to happen?
Black swan events aren’t your everyday potential risks, but there’s well-known ones that have happened in recent years. Think back to 2017 when the WannaCry ransomware attack happened and became a worldwide cyber attack targeting Windows PCs.
Through the general reporting on these events it does seem like they happen a lot, however, it’s just that they generate a great deal of attention. Even the WannaCry is still relevant and mentioned in conversation topics today even though we’re several years along from then.
Often in risk registers, the top risks are black swan events. Probability impact graphs encourage worst case analysis, where black swan events are grouped in the top right corner of the graph, where the severity of risk is critical. Yes, these types of events could have major consequences but they’re not the most frequent events to occur. Although they are unpredictable, there’s still ways to try to anticipate the likelihood.
The analysis of your industry and nature of work could mean this is once in every 10 years, or even longer. With industry knowledge and looking at your own past incidents you can begin to understand how frequently they might occur. For example, without good reasoning and analysis, there’s no reason why the probability of such an event would be 50% unless you’ve had a similar event occur within the last two years of your own operation.
A better way to analyse the risk of black swan events is by using quantitative analysis and visualising them using loss exceedance curves to have a more granular view of the risk.
Focusing on these events, especially if you consider them your biggest risks, means that you’re likely treating the risk by putting safeguards in place. But you need to consider the “everyday” risk events that have a greater chance of occurring.
How much do the everyday attacks cost you a year?
Think about the lesser sophisticated events like phishing, spyware, or data being sent to the wrong customer. These aren’t going to be the worst case scenarios compared to a black swan event. But with the accumulation of everyday attacks, whether that’s investigating if something is successful or not, or responding to these events, the cost will add up.
For example, consider a company of 500 people. An employee laptop is stolen on public transport. The employee reports it immediately to their security team and manager. Following internal procedures, the IT team is able to remotely wipe the device, reducing the risk of authorised access to any data stored on the laptop. Although there’s little to no investigation, a small amount of time/resourcing is used to wipe the device, and procure a replacement.
We can estimate this costs a couple of hundred in resourcing involvement and a new laptop ~£1000.
This isn’t an unusual or one-off incident that can occur. Particularly when a lot of work can nowadays be conducted remotely. It wouldn’t be unheard of for this type of incident to happen once a month in a reasonably sized company.
So, multiply those estimated costs by once a month (they may even occur more frequently than that!), and you’re looking at somewhere potentially north of the ~£12,000 mark a year.
Ignoring everyday attacks and potential risks can be costly if you’re overlooking what needs to be implemented or established to reduce the risk. The same goes for the way you approach the everyday risks: are they communicated to senior management and at board level? It’s important for the company to be aware of the likely risk, not a risk that may appear in the next decade.
It’s about balance
It’s worth considering how you manage risks internally and what you see as your top risks. It’s not worth allocating all your resources on the black swan events. They’re unpredictable and sophisticated, so who knows if you’ll be affected or when, or even if the controls and safeguards are adequate.
Review how you perform analysis and whether it’s impacting your view of risk. A good place to start is by understanding the differences in qualitative and quantitative risk analysis.
The balance of looking ahead to what your best case scenario is will help to make better informed decisions when looking at your risks.
Cydea can help you to quantify, understand, and communicate your cyber risk through our risk analysis projects and our risk platform which makes CRQ accessible to SMEs, mid-market firms, and large enterprises alike.
Photo Credit: lewek Gnos
