In my previous post about cyber risk, we talked about its pervasiveness. We recognized that most businesses will not be able to entirely prevent a breach—and should instead focus on resiliency, or “bounce-back-ability” in the face of cyber threats.

One question to consider is, where might these threats come from? I think we all have in our minds some visual picture of a hacker, sitting in a dark room in front of a PC, working their way into someone’s system.

In fact, as I described in my RiskMinds conference presentation, threats reside in multiple places and many are external, including:

  • The “lone wolf” hacker—that character we envision sitting at a PC
  • The “hack-tivist,” someone with a political gripe or a protest to make against an enterprise
  • Nation state attacks, sometimes old fashioned espionage—the US Navy, for example, defends against some 100,000 hits per hour[1]
  • Organized criminals, who are primarily after monetary gain

What businesses can overlook is the equally dangerous internal threat to their cybersecurity. An enterprise may spend significant time building walls and digging moats for protection—but only minimal time vetting and educating employees, or putting internal controls in place.

Like the external threat, the internal threat is multi-dimensional. Often it’s as basic as a disgruntled employee who is stealing data for some extra cash on the side. But leaks can be inadvertent, such as employees carelessly putting data onto a thumb drive that they subsequently lose.

Social media opens many gaps as well. Whether it’s through a game like Candy Crush™ or a service like Twitter®, they bring with them cracks and openings that can be exploited.

The cyber resilient way to address both internal and external threats centers around building a strong risk culture, and supporting it with appropriate controls. If an auditor understands that using a social networking website can expose the company, and if she is aware the precautions to take to keep the business safe, and if she’s committed to the company and its culture, resilience is a step closer to hand.

In my next post, we’ll take a closer look at building cyber resilience.

[1] “US Navy Hit by 110,000 Attacks Per Hour,” eSecurity Planet, December 6, 2012. Access at:

Submit a Comment

Your email address will not be published. Required fields are marked *