Should Organizations Be Operating Outside of Their Risk Appetite?

May 12, 2020
| |
6 min read

Business opportunities around the world have increased significantly as the online presence of individuals and businesses has increased during lockdowns enforced due to the novel coronavirus pandemic. But with added exposure comes added risk, and organizations should know where to draw what may be a new line in their risk appetite profiles, so they can maximize the benefits and weigh the amount of risk they are willing to take in the pursuit of their business objectives.

The worldwide lockdown of establishments due to the COVID-19 pandemic has caused a spike in online activities as more and more individuals work from home and organizations embrace new challenges in managing business and information security. Consequently, cybercriminals are also having a field day, leveraging the trending news on the pandemic to spread spam, malware and sophisticated attacks targeting individuals and businesses alike.

Understanding Risk Appetite

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization (ISO). This framework defines risk appetite as the amount and type of risk that any business organization is prepared to take, retain or pursue to achieve the objectives of its strategic plan.

Fundamentally, cyber risk appetite is the level of tolerance that an organization has for risk. Cyber risk appetite has two aspects. One is in understanding how much risk the business entity can take. The second aspect is the budget that the organization is willing to spend on managing that risk.

These aspects of managing risk in accordance with business objectives are heavily affected by a situation like a worldwide pandemic. With billions of people working from home, companies are more exposed to risk than ever, and that change has to be analyzed to allow for reviewing the risk appetite assessment.

Time to Reassess Organizational Risk Appetite

Risk is an ever-evolving concept. As our world, and the way we work, changes during the current circumstances, businesses should understand the types of cyberthreats they could encounter and the risks these threats can pose in times of emergencies. Here are two examples of recent cyberattacks that can help organizations understand why they need to reassess their risk appetite as part of dealing with the new situation.

  • There has been a recent surge in business email compromise (BEC) fraud. Reported cases note cybercriminals using Gmail or Office 365 accounts to deliver phishing and malware emails with fraudulent invoices. These invoices would seem to originate from legitimate vendors, but contain altered payment wiring instructions that lead victimized organizations to unwittingly pay money into the cybercriminal’s account instead of their actual vendor.
  • Ransomware attacks have also seen an upsurge during the pandemic. The Maze ransomware group, for example, hacked into the information network systems of Hammersmith Medicines Research (HMR), infecting them with ransomware. HMR works on coronavirus vaccines, making its data and intellectual property all that much more critical in these times. Maze’s operators threatened to publish the personal details of patients from HMR’s research base if the organization refused to pay a ransom and proceeded to publish those records after HMR declined to pay.

Unfortunately, Maze is not the only organized gang that has been taking advantage of the situation, with a variety of cybercrime groups targeting the healthcare sector throughout the ongoing pandemic.

With the heightened pressure to operate remotely through the crisis, and with certain sectors becoming even more critical than ever, risk profiles are changing rapidly as threats and motivated attackers drive a rise in attacks across the globe.

The Big Question: Should Organizations Be Operating Outside of Their Risk Appetite?

Increased opportunity can also present a corresponding increase in new threat vectors and risk factors, as well. Understanding the following risk-augmenting challenges can help organizations assess their evolving business continuity needs and make an educated decision on how to stay close to their everyday risk appetite.

Emerging Threats and Risks

Malicious actors are always on the lookout for sophisticated ways to target business organizations. The lockdown due to COVID-19 has helped them in many ways owing to more people working from home, using less-protected networks to connect to corporate resources, modifying user behavior patterns, and connecting from various places and devices. This, combined with reduced availability of IT support staff in offices, can lead to a considerable rise in risk.

Staff Shortages: A Significant Risk Organizations Must Be Prepared For

One of the prime reasons for the surge in risk from online cyberattacks can be attributed to staff shortages in IT security. Most organizations are working with skeletal on-site staff at their command; hence, it becomes a challenge to provide adequate security operations and ongoing support to employees.

This risk profile can be on the higher side when compared to working under normal conditions with most employees and support staff located on company sites. Under such circumstances, organizations should exercise extra caution and redefine their risk appetite, define tools they want employees to use while working remotely, revise the corresponding budget and reassess the controls they have in place to mitigate as much risk as possible.

Higher Risk Due to Using Third-Party Video Conferencing/Online Communication

With more people resorting to working from home, video conferencing has become a vital tool for communication. Apps such as Zoom and Microsoft Teams have become popular today with more organizations using them for conducting business meetings online. However, these apps have some unpatched vulnerabilities that could end up compromising organizational networks and confidential data.

Risks Due to Increased Phishing and Other Social Engineering Attacks

Many business organizations are anticipating government-issued tax rebates and a moratorium for paying off their loan installments. Cybercriminals can take advantage of these relief measures by sending more targeted, contextual phishing emails to trick employees into opening malicious emails or parting with confidential data. Statistics from IBM X-Force show a 6000 percent increase in COVID-19-related spam since March 11, when the World Health Organization (WHO) declared COVID-19 a pandemic.

Risks Due to Third-Party Service Providers, Vendors and Contractors

Going beyond the use of third-party applications, third-party vendor risk includes operational, transactional and regulatory risks even in normal conditions. These risks become more significant when organizations operate in emergency mode, which can elongate time to response and remediation.

  • Operational risks include failed procedures, employee errors, fraud or any other event that can disrupt business processes.
  • Transactional risks can arise due to problems related to service delivery, online transactions, etc.
  • Regulatory risks can involve security breaches affecting customer information due to the violation of the compliance norms by third-party vendors.

The reduced staff strength and lack of adequately secured networks for employees who work from home can result in business entities potentially exposing their network systems to a considerably higher amount of risk. One can argue that businesses have to take every opportunity that comes their way during these times; however, they should also be aware of their risk appetite and operate accordingly to protect their information assets and to emerge from the crisis with the least amount of impact possible.

The Big Question Answered: Many Organizations May Already Be Operating Outside of Their Risk Appetite

Businesses should take a balanced approach to operating through the crisis and assessing new opportunities that can also bring new risks with them. Here are some points on how businesses can balance their overall approach and adjust their risk appetite to the evolving situation:

  • With many businesses temporarily shutting down, the marketplace presents an ideal opportunity to attract new clients, especially for SMBs. But before jumping on every new opportunity, businesses must also consider any risks that could counter the benefits. This is a time to train employees to observe strict security norms, watch out for phishing and email-borne attacks, and confirm they are working on secured virtual private network (VPN) servers and using authorized devices/applications as supplied by their IT departments.
  • This time of potentially lower business activities is a perfect time to reassess and ramp up security controls, policies and procedures. It can also be a good time to patch systems across the board, modernize equipment and review asset inventories, which can make it easier to mitigate cybersecurity risks during and after the pandemic. The result can be an actual reduction in risk, which could balance the rising risks from external sources.

The reasoning behind these recommendations is that businesses should not take undue risks during such emergencies because:

  • Reduced staff strength is a significant liability, as businesses may not be in a position to monitor employee activities accurately, primarily if they work from home, adding privacy and security risks to the mix.
  • Financial business transactions are lower in volume right now for many organizations. Losing more money due to avoidable security breaches would not be a financially prudent thing to do.
  • Expanding your information infrastructure without proper analysis and controls may result in an increased attack surface or unearth new vulnerabilities that malicious actors are on the constant lookout for.

Continuing to Manage Risk, Adapting to a New Reality

Organizations can reap certain benefits by taking a balanced approach to managing operations through the pandemic by avoiding the risks they can avert. At the same time, they should be ready to manage the risks that come with increased online activity.

Risk management is like walking a tight rope, and one compromised control can have a ripple effect on the business’s overall security, with potential breaches costing dearly in terms of reputation or financial losses. Organizations must be well aware of where their risk appetite is and what to look out for when new ventures go beyond that line. This thinking can enable organizations to better balance the risk portfolio and still achieve business objectives.

Adeeb Rashid
Security Strategy, Risk and Compliance Consultant, IBM

A cyber security consultant with more than 5 years of experience in IT and security with clients mainly in the Financial Services industry. Adeeb has deliver...
read more

Think On Demand banner
Think banner ad
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00