Category Archives: Technology Risk

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

5 Questions Boards and the C-Suite Should Be Asking About Cyberrisk

Posted on by

There is growing concern that corporate boards and senior executives are not prepared to govern their organization’s exposure to cyberrisk. While true to some degree, executive management can learn to identify and focus on the strategic and systemic sources of cyberrisk, without becoming distracted by complex technology-related symptoms, by understanding the organization’s ability to make well-informed decisions about cyberrisk and reliably execute those decisions.

Making well-informed cyberrisk decisions

To gain greater confidence regarding cyberrisk decision-making, executives should ensure that their organizations are functioning well in two areas: visibility into the cyber risk landscape, and risk analysis accuracy.

1. “How good is our cyberrisk visibility?”

You can’t manage what you haven’t identified. Many companies focus so strongly on supporting rapidly evolving business objectives that they lose sight of closely managing the technology changes that result from those objectives. Consequently, it is common to find that organizations have an incomplete and out-of-date understanding of:

  • Their company’s network connectivity to other companies and the Internet
  • Which systems, applications, and technologies support critical business functions
  • Where sensitive data resides, both inside and outside their company’s network

Without this foundational information, an organization can’t realistically claim to understand how much cyberrisk it has or where its cyber risk priorities need to be.

2. “How accurately are we analyzing cyberrisk?

buy keflex online azimsolutions.com/wp-content/uploads/2023/10/jpg/keflex.html no prescription pharmacy

It is common to find that over 70% of the “high-risk” issues brought before management do not, in fact, represent high risk. In some organizations more than 90% of “high risk” issues are mislabeled. When it comes to analyzing cyberrisk, several foundational challenges exist in many organizations:

Nomenclature

How anxious would you be to ride on a space shuttle mission if you knew that the engineers and scientists who planned the mission and designed the spacecraft couldn’t agree on definitions for mass, weight, and velocity?

Odds are good that if you ask six people within your risk management organization to define “risk” or provide examples of “risks” you’ll get several different, perhaps very different, answers. Given this, it isn’t hard to imagine that risk analysis quality will be inconsistent.

Broken models

In the cyberrisk industry today, there is heavy reliance on the informal mental models of personnel. As a result, very often the focus of a “risk rating” is strongly biased on a control deficiency rather than a more explicit consideration of the loss scenario(s) the control may be relevant to. Without applying a probabilistic lens to risk analysis it is much more difficult to differentiate and prioritize effectively among the myriad loss events that could, possibly, happen.

buy tenormin online azimsolutions.com/wp-content/uploads/2023/10/jpg/tenormin.html no prescription pharmacy

Another challenge is that most technologies that identify weaknesses in security generate significantly inflated risk ratings. The outcome is wasted resources, unwarranted angst, and an inability to identify and resolve the issues that truly deserve immediate attention.

Although risk management programs within some industries have begun to examine and manage the risk associated with poor models, this focus is often limited to models that do quantitative financial analysis. This leaves unexamined:

  • The mental models of risk professionals and whether their off-the-cuff risk estimates are accurate
  • Home-grown qualitative and ordinal models
  • Models embedded within cyberrisk tools

Yet these models, with their implicit assumptions and weaknesses, are responsible for driving critical decisions about how organizations manage their cyber risk landscapes.

Reliable execution

Although risk management expectations and objectives are set through decision-making, execution is the deciding factor on whether the organization is able to consistently realize the intended outcomes.

3. “How well do personnel understand what’s expected of them?”

In one organization, the information security policies were written at a grade 21 level. Most organizations today have some form of information security policy and related standards, and many even require personnel to read and acknowledge those policies annually. Very often however, the policies have been written by consultants or subject matter experts using verbiage that is complex and/or ambiguous. As a result, personnel may dutifully read and acknowledge the policies but they may not have a clear understanding of what actually is expected of them.

4. “How capable are personnel of meeting expectations?”

Things change. When budget belts get tightened organizations often cut training budgets. Given the rapid pace of change in the cyberrisk landscape, this can create serious skills gaps for cyberrisk professionals and technologists.

Another challenge in this regard has to do with outdated technology. Many organizations hang on to technologies well beyond the point where they can be maintained in a secure state. As a result, “policy exceptions” for these technologies become routinely accepted, which limits the ability of the organization to achieve or maintain its own security objectives.

5. “How well are personnel prioritizing cyberrisk?”

Which is more important; revenue, budgets, deadlines, or cyber risk?

Root cause analyses performed on cyberrisk deficiencies have found that personnel routinely choose not to comply with cyberrisk policies because they believe revenue, budgets, and/or deadlines are more important. This is influenced in part (perhaps a significant part) by the challenges noted above regarding risk-rating inaccuracies. It isn’t unusual to find that overestimated risk ratings create a “boy who cried wolf” syndrome within organizations. The result is that organizations don’t consistently or meaningfully incentivize executives to achieve cyberrisk management objectives because there is tacit recognition that much of what is claimed to be high-risk is not. Another factor is that revenue, cost, and deadlines are measureable in the near-term, whereas many high-impact risk scenarios are less likely to materialize before they become “someone else’s problem.”

The bottom line is that prudent risk-taking is only likely to occur if executives are provided accurate risk information and if they are appropriately incentivized based on the level of risk they subject the organization to.

At the end of the day…

Effectively governing cyberrisk is within the grasp of senior executives who deal with complex and dynamic challenges every day. By examining their organization’s ability to make well-informed decisions and to execute reliably, senior executives can more effectively identify and address the strategic and systemic sources of risk within their organizations.

buy amoxil online azimsolutions.com/wp-content/uploads/2023/10/jpg/amoxil.html no prescription pharmacy

Cybersecurity, Product Recall and Drones Top List of Emerging Casualty Risks

Posted on by

The cybersecurity insurance industry is booming, with demand for this specialty coverage vastly outpacing any other emerging risk line, according to a new survey by London-based broker RKH Specialty. In fact, 70% of the insurance professionals surveyed listed cyber as the top casualty exposure.

buy fluoxetine online https://www.rhythmedix.com/wp-content/uploads/2023/10/jpg/fluoxetine.html no prescription pharmacy

The brokers, agents, insurers and risk managers RKH queried after April’s RIMS 2015 conference said their top casualty concerns after cyber are product recall and drones (11% each), with others including e-cigarettes, autonomous vehicles and telematics totaling only eight percent.

RKH Specialty Study Graph

“Losses stemming from cyber-related attacks and business interruption can be catastrophic for individual businesses,” said Barnaby Rugge-Price, RKH Specialty’s CEO.

“Healthcare and retail have been the major buyers in the cyber space to date but we are seeing an increasing conversion rate across the whole of our portfolio. After a number of years of looking at the offering, clients are increasingly deciding to purchase the cover as the product has improved and the frequency of attacks has continued to increase. There has also been a heightened focus on the business interruption aspect, where cyber attacks can cause whole facilities to shut down. But whether cyber related or not, any interruption to the supply chain can cause a disproportionate loss. The survey highlights the importance of specialist insurance for a whole host of emerging risks.”

Turning specifically to property exposures, supply chain disruption was identified by 61% as the top risk, followed by flood (30%) and tornadoes (9%). The findings reflect a growing recognition of the potential exposures that longer and more complex supply chains introduce, the firm said.

The brokerage also asked insurance professionals what they think clients are and will be most concerned about when evaluating a broker’s service, and in turn, what brokers will need to focus on to stay competitive. They predict:

RKH Specialty broker service

Measuring Risk: Why We Need Standards for Continuous Monitoring & Assessment

Posted on by

Continuous monitoring on its own is great for the detection and remediation of security events that may lead to breaches. But when it comes to allowing us to measure and compare the effectiveness of our security programs, there are many ways that simply monitoring falls short. Most significantly, it does not allow us to answer the question of whether not we are more or less secure than we were yesterday, last week or last year.

This is a question that we all have grappled with in the security community, and more recently, in the board room. No matter how many new tools you install, settings you adjust, or events you remediate, there are few ways to objectively determine your security posture and that of your vendors and third parties. How do you know if the changes and decisions you have made have positively impacted your security posture if there is no way to measure your effectiveness over time?

In recent years, solutions have emerged in the market which bring to light new potential from continuous monitoring and enable organizations to not only identify and remediate security issues, but also answer questions about security performance and effectiveness. Through the analysis of historical data, performance rating solutions allow organizations to quickly and objectively compare their effectiveness over time as well as to their industry and peers. The ratings are generated through the continuous collection of security data, including events, user behaviors and configurations, and updated on a daily basis. Higher ratings indicate better security performance, and users receive alerts when ratings change significantly. The ease with which these ratings can be accessed means organizations can leverage performance ratings in a number of ways that go far beyond threat detection.

For example, using ratings in vendor selection can help organizations choose and negotiate with secure partners from the beginning of business relationships. They have access to information that can show how performance over time has varied, as well as if there have been prior security incidents or breaches worthy of further investigation. Using ratings for vendor management encourages all parties to be proactive and transparent in their security practices, thus helping to improve overall performance.

There are other third party transactions where continuous security performance ratings can help, such as in underwriting and negotiating cyber insurance premiums as well as making strategic M&A decisions. Performance ratings provide context that is lacking from other assessment methods, as ratings are based on evidence of security outcomes and the criteria for both assessment and rating is congruent between networks.

However, the value in this metric isn’t simply in providing a number; the value is in its potential to become a standard that organizations can objectively benchmark themselves and their third parties against. Many organizations have their own methodologies to assess security risk, relying on auditors, compliance certificates, questionnaires and multiple frameworks for qualitatively, and in some ways quantitatively, measuring their risk. But if we’re all using different frameworks and methodologies, the ability to compare and contrast is lost, and objectivity comes into question. The lack of a standard in this area has lead to ambiguity when it comes to defining what “good security performance” actually looks like.

Of late, legislators and regulators have been pushing organizations to show that they are monitoring security risks across the business ecosystem and taking responsibility for the performance of their vendors as well. There has also been additional pressure placed on board members and executives to demonstrate awareness and oversight of security performance at all times.

HIPAA, PCI and OCC guidelines have all added language around vendor selection and management, requiring more frequent assessments and in some cases, naming liability if a vendor falls out of compliance. One thing these updates don’t include is specific guidelines for how and what to assess in network security ecosystems. This means it is up to the individual to interpret guidance, which may result in inconsistent (and often biased) assessments.

If regulators and lawmakers want to simplify risk management, they could make great strides by adopting and enforcing a set of measurement standards that could span industries and bring transparency to security practices in all organizations. To overcome the lack of awareness and bias in security performance assessments, continuous performance monitoring provides a significant advantage because it is outcome based rather than control based. Because of this, continuous assessment methodologies can answer the age old questions of how am I doing compared to my industry and my peers? Am I safer now than I was before?

Creating a Risk Intelligent Organization

Posted on by

Many organizations spend time and effort building and developing robust risk mitigation frameworks and strategies to handle business-specific risks. In spite of constant monitoring through dashboards and reports, many companies still face major and unexpected issues. One of the main reasons for shortfalls in risk management is the general attitude towards risk mitigation. Although companies are well-prepared with an infrastructure in place, they often struggle when cultivating a sense of risk awareness, responsibility and intelligence into and across the fabric of an organization, which results in gaps and deficiencies.

Every organization realizes the significance of risk intelligence, but they frequently face issues in the initial stage of their transition. Developing a risk culture is frequently viewed as just a requirement to be fulfilled rather than something that adds value to an enterprise. Without a clear agenda, many companies find it impossible to cultivate risk-taking capabilities into its employee base.

Risk intelligence demands that every individual in an organization take responsibility for managing risks in the day-to-day operations. Senior management should assess the existing risk management strategy and gauge its effectiveness in alleviating risks as well as developing awareness throughout the organizational structure.

Factors Influencing Risk Culture

For a smooth journey in risk intelligence, the senior management has to be completely aware of the levers influencing risk-taking behavior of their employees. Some of the major factors that impact smart risk-taking decisions include talent management, training and education, qualification of staffs, incentives, leadership at the top of the organizational hierarchy, and the ability of an organization to take risk-based decisions.

To develop a risk-intelligent structure in business enterprises, organizations should perform a thorough assessment. This can be achieved by setting up objectives, conducting surveys and interviews, analyzing gaps, prioritizing actions, incorporating recommendations and keeping track of the effectiveness of the strategy.

buy vilitra online physiciansalliance.com/wp-content/uploads/2022/08/pdf/vilitra.html no prescription pharmacy

Comparing the existing culture against other influential factors such as governance, policies and procedures, competence, relationships, performance, and accountability will help the top management understand the current state of culture and the level of contribution of existing risk initiatives to create a positive impact on the business’s risk culture.

Conducting gap analysis around the influential factors will offer a better understanding of what needs improvement. To create an effective risk culture and make it work successfully to the benefit of an organization, management should continuously improve it to fit the changing business objectives and requirements.

Strengthening Risk Culture through Technology

Leveraging technology to create a centralized framework for capturing risks and organizing data elements will strengthen the risk culture to a greater extent. A risk management framework should speak a common language that is well understood throughout the organization, including stakeholders. Developing a technically assisted risk management strategy will eliminate the most common challenges faced by an organization.

A centralized data model will aid in managing risks that may arise due to external and internal events. It will also give the organization a top-down view of the business goals, global risks and controls associated with it.  A common risk environment enables effective monitoring and reporting of the gaps and risks using heat maps, dashboards, and charts. This will enhance the organization’s risk intelligence by providing real-time visibility into scores, its risk appetite, as well as limitations towards risks.

Risk and security officers will be able to get a better picture through trend analysis and obtain useful insights. A flexible framework that is developed on the basis of industry standards will provide a strong foundation for risk intelligence and aid in timely capture and categorizing of risks and initiate appropriate corrective actions.

Key Elements of a Risk Intelligent Organization

  • A risk intelligent organization follows a unified and standardized risk framework that speaks the same language across the entire organization. A framework that follows a common language is easy to understand and helps mitigate risks in a timely manner, thereby driving value.
    buy zithromax online physiciansalliance.com/wp-content/uploads/2022/08/pdf/zithromax.html no prescription pharmacy

  • Successful creation of risk intelligence defines roles, responsibilities, and the hierarchy structure in an enterprise.
  • A centralized framework will also bolster support to business operations and a wide array of functions.
  • Creating risk intelligence will enhance performance and accountability.
    buy spiriva inhaler online physiciansalliance.com/wp-content/uploads/2022/08/pdf/spiriva-inhaler.html no prescription pharmacy

  • A risk intelligent organization will be able to strike a perfect balance between risk and reward.
  • Risk intelligent architecture offers the executive management, board members, stakeholders, and audit committees the ability to effectively perform their duties by promoting a greater level of transparency. Executive management is assigned with the task of developing, incorporating, and maintaining a robust and efficient risk management strategy and improvise it on a regular basis it to fit the changing requirements.
  • Business units are obligated to monitor the performance of their respective units and their approaches to managing risks as specified by the risk management and independent assurance functions, as well as oversight from executive management.
  • In a risk intelligent organization, finance, legal, HR, and IT units offer support to the individual departments in the organization in their efforts to mitigate risks.

The role of the internal audit is assigned with providing independent and unbiased assurance to the senior management by assessing the efficiency of the risk management practices and finding ways to enhance those strategies.