Blogs
Cloud Security Risks in 2025: What You Need to Know to Stay Safe
- IT Risk & Cyber Risk
- 02 May 24
8 min read
Introduction
As technology rapidly develops, the cloud has become synonymous with convenience, scalability, and cost-effectiveness in data management and operations for businesses worldwide. However, this evolution comes with its own set of vulnerabilities – cloud security risks.
Cloud security risks are potential vulnerabilities or weaknesses in the cloud infrastructure that could be exploited by cyber attackers, leading to unauthorized access, data breaches, service disruptions, and compliance violations. The challenges are exacerbated by an organization’s reliance on multiple, diverse, and complex cloud environments.
The management and assessment of these cloud security risks often require collaboration among various teams, including security operations, risk management, DevOps, and IT teams. They need to continuously monitor the cloud infrastructure, assess associated risks, implement mitigation measures, and report the data and insights to the CISO.
Before diving deeper, it's crucial to differentiate between risks, threats, and challenges in the context of cloud security.
- A risk is the potential for a threat to exploit a vulnerability, adversely impacting the organization.
- A threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.
- A challenge encompasses the difficulties in securing the cloud environment, ranging from technical issues to regulatory compliance and skill gaps.
Understanding these definitions lays a clear groundwork for appreciating the complex landscape of cloud security and its implications for businesses leveraging cloud technology. This blog delves into the top cloud security risks, threats, and challenges that risk and security teams need to closely monitor.
Top 5 Cloud Security Risks
Here are the top five cloud security risks faced by organizations today:
Misconfiguration and Inadequate Change Control
One of the most pervasive cloud security risks is misconfiguration. As cloud environments become more complex and intertwined, the chances of leaving a virtual door open increase. Misconfigurations can occur at any level – from storage buckets set to public without intention to unsecured API endpoints, or improper security group settings. These missteps provide easy entry points for attackers.
Organizations often underestimate the importance of continuous vigilance and expertise required to maintain cloud configurations properly. Without adequate change control mechanisms and regular configuration audits, accidental exposure of sensitive data or resources becomes a looming risk.Insecure Interfaces and APIs
APIs and interfaces are the linchpins of cloud services, offering the means for users to interact with cloud services and for services to communicate among themselves. However, these are also prime targets for attackers due to their accessibility. Insecure APIs can lead to unauthorized access, data leakage, and service manipulation.
Ensuring API security necessitates rigorous access controls, encryption in transit and at rest, and regular audits to identify and rectify vulnerabilities.Account Hijacking
Cloud services often centralize access to resources under specific user accounts or identity credentials. If an attacker successfully hijacks these credentials, they can access sensitive data, disrupt services, and leverage the cloud resources for malicious purposes, such as launching further attacks.
Furthermore, account hijacking can lead to identity theft, financial fraud, and reputational damage for the affected organization. The ramifications of account hijacking extend beyond the immediate breach, as attackers may exploit compromised accounts for prolonged periods, causing persistent harm to the organization's operations and integrity.Insider Threats
The human element remains one of the most unpredictable variables in cloud security. Insider threats can range from negligent employees unintentionally exposing data to malicious insiders intentionally sabotaging systems or stealing information.
Given the access privileges necessary for certain roles, insiders can cause significant damage or data loss. The inherent trust placed in employees with elevated access privileges makes them potent vectors for insider threats, as they possess the capability to inflict significant damage or loss of data within the cloud environment.Data Breaches and Data Loss
Data breaches and data loss represent critical cloud security risks that can have severe consequences for organizations. Whether due to malicious attacks, accidental exposure, or insider threats, the compromise of sensitive data can lead to significant financial losses, reputational damage, and regulatory penalties.
Data breaches occur when unauthorized parties gain access to sensitive information stored in the cloud, resulting in theft, manipulation, or exposure. On the other hand, data loss refers to the unintentional destruction or unavailability of data, often due to system failures, human error, or natural disasters.
5 Recent Cloud Security Threats
Here’s a look at five recent cloud security threats that organizations across industries have been exposed to:
Zero-Day Exploits
Zero-day exploits refer to vulnerabilities in software or hardware that are unknown to the vendor and, therefore, have no patch or fix available. These vulnerabilities pose a significant threat to cloud security as attackers can exploit them to launch targeted attacks without detection. Since there is no prior knowledge of these vulnerabilities, organizations are often caught off guard, leaving their cloud environments vulnerable to exploitation.
Zero-day exploits enable cybercriminals to bypass traditional security measures, gaining unauthorized access to sensitive data or compromising cloud infrastructure.Cyberattacks
Cyberattacks encompass a broad range of malicious activities perpetrated by threat actors with the intent to compromise cloud security and disrupt business operations. These attacks can take various forms, including malware infections, phishing campaigns, ransomware attacks, distributed denial-of-service (DDoS) attacks, and man-in-the-middle (MitM) attacks.
Cybercriminals target cloud environments due to their rich troves of data and interconnected infrastructure, making them lucrative targets for exploitation.
Depending on the nature and sophistication of the attack, cyberattacks can result in data breaches, financial losses, reputational damage, and regulatory fines.Inadequate Identity and Access Management (IAM)
Effective Identity and Access Management (IAM) is the cornerstone of robust cloud security. However, inadequate IAM policies pose a significant threat, leading to unauthorized access and potential insider threats.
As organizations expand and embrace hybrid work environments, managing who has access to what becomes exponentially complex. This complexity is further exacerbated by the sheer volume of users, devices, and third-party vendors requiring access to cloud resources.
Inadequate IAM can result in excessive permissions, where users have more access rights than necessary, significantly increasing the risk of data exposure or loss should those credentials be compromised.Advanced Persistent Threats (APTs)
APTs represent a sophisticated, high-level threat wherein an attacker gains unauthorized access to a network and remains undetected for an extended period. The cloud environment, with its vast resources and data, is an attractive target for APT groups. These adversaries use advanced techniques to bypass traditional security measures, leveraging the cloud to infiltrate networks and exfiltrate sensitive information stealthily.
APTs can cause significant financial and reputational damage to organizations.
The complexity and frequency of these attacks are expected to increase, emphasizing the need for advanced threat detection and response strategies in the cloud ecosystem.Data Security Non-Compliance
Data security non-compliance refers to the failure of organizations to adhere to regulatory requirements, industry standards, or internal policies governing the protection of sensitive data in the cloud.
Non-compliance can result from inadequate security controls, improper data handling practices, or a lack of awareness regarding data protection obligations. Failure to comply with data security regulations such as GDPR, HIPAA, or PCI DSS can have severe consequences, including legal penalties, financial sanctions, and reputational damage.
Moreover, data breaches resulting from non-compliance can erode customer trust and confidence in the organization's ability to safeguard their personal information.
Top 5 Challenges in Cloud Security
Organizations face a number of challenges in their effort to strengthen the security of their cloud environment. Here are the top five challenges:
Lack of Cloud Security and Skills
One of the biggest challenges that organizations face in cloud security is the lack of knowledge and skills required to implement and maintain robust security measures. In most cases, companies do not have dedicated security teams for cloud infrastructure, which leads to a lack of awareness of potential risks and security vulnerabilities. Furthermore, companies often struggle to find qualified personnel to fill security roles due to the ongoing shortage of skilled cybersecurity professionals.
Shadow IT
Shadow IT refers to the use of unauthorized applications and services by employees without the knowledge or approval of the IT department. This practice is becoming increasingly common, and it poses significant risks to cloud security. Shadow IT often circumvents security controls and creates security vulnerabilities. Companies often have limited visibility and control over these applications, which can result in a lack of control over sensitive data.
Identity and Access Management
Organizations must implement access controls to regulate the flow of information within and outside the organization. Unfortunately, access management can be challenging to implement in a cloud environment where users and applications can access resources from multiple locations. Misconfiguration, weak passwords, and authentication failures are common vulnerabilities that cyber attackers leverage to compromise systems.
Managing a Rapidly Evolving Attack Surface
The dynamic nature of cloud environments, characterized by frequent updates, deployments, and configuration changes, creates new opportunities for cyber attackers. Traditional security measures designed for static on-premises environments may prove inadequate in the face of these dynamic threats. Also, the increasing adoption of DevOps practices and continuous integration/continuous deployment (CI/CD) pipelines further amplifies the challenge by accelerating the pace of change.
Multi-Cloud Security
The adoption of multi-cloud environments, where organizations utilize services from multiple cloud providers, introduces unique security challenges. Managing security across diverse cloud platforms requires a comprehensive understanding of each provider's security offerings, compliance requirements, and integration capabilities. Moreover, interoperability issues, data migration challenges, and differences in governance models between cloud providers can complicate security management efforts.
Tips to Strengthen Cloud Security
Here are the key measures that organizations need to implement to strengthen their cloud security posture:
- Adopt Data Encryption Practices: Encrypt your data at rest and in transit. Utilizing strong encryption algorithms helps safeguard your data from eavesdropping and unauthorized access, ensuring that even in the event of a data breach, the information remains unintelligible to the attackers.
- Regularly Monitor and Audit Cloud Environments: Continuous monitoring of your cloud environment can alert you to unauthorized activities and potential vulnerabilities. Implementing automated security solutions can help in the early detection of anomalies and enable prompt response to mitigate risks.
- Adopt a Zero-Trust Security Model: Operate under the assumption that threats can originate from anywhere, and nothing should be trusted implicitly. A zero-trust approach necessitates strict identity verification for every person and device attempting to access resources in the cloud, providing a more granular level of security control.
- Embrace a Culture of Security Awareness: Human error remains one of the weakest links in cloud security. Educating your workforce about phishing schemes, safe online practices, and the importance of using strong passwords can drastically reduce the risk of security breaches.
The future of cloud security is uncertain but exciting. As companies continue shifting more data and services to the cloud, threats are evolving rapidly. However, by staying up to date with trends, learning from past errors, and making security a significant priority, organizations can thrive in the cloud. The payoff is peace of mind knowing your data is fortified behind impenetrable defenses.
MetricStream helps organizations across industries manage IT and cyber risks and compliance processes in a holistic, proactive, and integrated manner. To learn how MetricStream can help you implement industry best practices for Cyber governance, risk management, and compliance (CyberGRC), request a personalized demo today.
Jump to Topic
Related Resources
Blogs
Update on the SEC’s New Cybersecurity Rules: Insights and Outlook
- IT Risk & Cyber Risk
- 04 April 24
5 min read
Introduction
It’s been several months since the U.S. Securities and Exchange Commission (SEC) approved the final rules governing cybersecurity disclosures on July 26, 2023. For risk management, strategy, and governance disclosure requirements, companies are required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023, while compliance with incident disclosure requirements commenced from December 18, 2023.
So what’s been happening since the new rules were introduced? We bring you a high-level summary of what’s been going on to date, including:
- The recent form 8-K filings and 10-K disclosures
- Defining materiality according to the new rules
- Balancing competing risks during disclosures
Form 8-K filings: Few Companies Have Filed till Date
Six companies have filed incident disclosure requirements so far, with three of these companies additionally amending their initial Form 8-K filings to offer further insights into subsequent events. Companies that have filed include footwear maker VF Corp, insurer First American, and tech giants Microsoft and Hewlett Packard Enterprise (HPE).
An interesting observation is that both Microsoft and HPE indicated they were filing the disclosures voluntarily since they weren’t aware of a material impact from the attacks. Microsoft submitted an 8-K filing on January 19, 2024, to the SEC, disclosing that Nobelium, a Russian hacking group, had gained access to its top executives' email accounts, specifically targeting those in its cybersecurity and legal departments. According to Microsoft’s notice, the Russian hackers used permissions attached to a hacked account to access corporate email accounts, “including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.”
The above 8-K filings reiterate the importance of building a strong foundation of cyber resilience where an effective response plan is matched with a detailed cyber governance, risk, and compliance (cyber GRC) program. This will enable efficient and agile response as mandated by the new rules.
How are Organizations Dealing with the Materiality Definition?
The SEC's final cybersecurity rules require filing an 8-K only when materiality is determined, rather than upon incident detection. However, such determinations must be made promptly "after discovery of the incident," without unreasonable delay. This implies that organizations must assess materiality based on both current and anticipated future impacts. Moreover, the rules specify that determinations cannot wait for future impacts to manifest.
While defining the materiality of a risk event, the analysis should take into account qualitative and quantitative factors in assessing materiality.
In a recent webinar I hosted, Brian Fricke, CISSP, CISM, CISO, and City National Bank Florida, dove into what “material” means. He listed a few examples of quantitative and qualitative factors that companies should consider when assessing the materiality of a cyber incident.
Examples of quantitative factors to consider when assessing the materiality of a cyber incident
- Impact on financial condition or results of operations
- Expenses for incident response and remediation
- Costs of potential regulatory or legal proceedings as a result of the incident
- Impact on the company’s assets
Examples of qualitative factors to consider when assessing the materiality of a cyber incident
- Harm to a company’s reputation, customer or vendor relationships, or competitiveness resulting from the incident (termination or material breach of a material contract)
- Impact on a company’s previously announced business plans or trends
- Nature and scope of the attack and unauthorized access to or misappropriation of information
- Duration of the incident and company response time
- The company’s ability to restore affected systems and data
- The company’s ability to resume normal operations after an incident
- Third-party risk (performance, breaches, reputation, etc.)
Watch the webinar for more insights on how to manage cyber risk in a mature, effective way: Navigating the Future of IT Risk and Compliance
Form 10-K Disclosures: Companies Need to Balance Competing Risks
Starting from fiscal years ending on or after December 15, 2023, public companies will need to comply with updated cybersecurity disclosure regulations in their Annual Reports on Form 10-K. Meeting these requirements pose a challenge for companies as they must strike a balance between disclosing enough information to comply with regulations and safeguarding against potential risks. Over-disclosure could expose the company to threats from malicious entities seeking to exploit vulnerabilities or defensive strategies.
However, it remains crucial for companies to provide accurate disclosures that align with the SEC cybersecurity rules, particularly given the ongoing enforcement proceedings involving SolarWinds Corp by the SEC. The SolarWinds enforcement case marks a significant development in two aspects. Firstly, the SEC alleges intentional deception in cybersecurity disclosures by a company, departing from previous cases where negligence was cited. Secondly, it represents the first instance where the SEC has pursued individual enforcement action against a corporate officer in a cybersecurity disclosure matter.
Both Clorox and Johnson Controls, having recently experienced ransomware attacks, have submitted filings to the SEC detailing the costs incurred from operational disruptions and financial losses stemming from cyber-related incidents. Although it remains uncertain whether these filings directly comply with this rule, particularly considering the timing of the attacks, they underscore the growing tendency towards more frequent and comprehensive disclosures. More importantly, it reflects an increasing acknowledgment of cybersecurity incidents as material risks capable of impacting both financial performance and operational continuity.
Achieve Compliance with MetricStream CyberGRC
With an increase in cyber risk and regulatory efforts globally, not just the U.S., it becomes imperative for organizations across diverse sectors and industries to build cyber resilience that can not only ensure compliance but optimize cybersecurity processes and improve efficiencies.
MetricStream’s CyberGRC solution can help you streamline your cyber risk management program and achieve compliance with the SEC’s new cybersecurity rules. Read our blog for a comprehensive mapping of how we can help you achieve compliance with the various aspects mandated by the SEC Rules, including:
- Establishing consistent procedures for incident documenting, analyzing, and remediating till closure
- Maintaining a single source of truth for incident lifecycle for quick and efficient reporting
- Assessing and managing IT and cyber risks in a standardized manner using industry frameworks, such as ISO 27001 and NIST
- Generating comprehensive reports providing in-depth visibility into the overall security posture and insights into risks, compliance, and performance of third-party vendors
- Implementing an integrated GRC solution to obtain real-time status monitoring and comprehensive reports, providing in-depth visibility into overall risk management systems and processes
Interested to know more? Request a personalized demo.
Download eBook: Overview of SEC Cyber Disclosure Rules 2023
Read blog: Achieve Compliance with SEC’s New Cybersecurity Rules
View Infographic: SEC’s New Cybersecurity Rules 2023: Top FAQs Answered
Jump to Topic
Related Resources
Blogs
Healthcare Cyber Resilience: Key Measures for Mitigating Cyber Risks in 2025
- IT Risk & Cyber Risk
- 21 February 24
4 min read
Introduction
Here’s a headline that demands attention! 116 million individuals in the United States were impacted by large health data breaches in 2023. What’s more! According to records from the Office for Civil Rights as of December 21, 2023, the data reported to the Department of Health and Human Services shows that the number has more than doubled when compared to 2022.
The motivation for the relentless targeting of this sector is clear – healthcare institutions are treasure troves of valuable personal and sensitive data, making them lucrative targets for attacks and ransomware. However, while being substantial, the consequences of a cyberattack on healthcare go beyond financial losses; it directly impacts patient safety and security, potentially turning it into a matter of life and death. Tampered patient history, delayed life-saving tests, diverted ambulances, and compromised medical procedures are just a few examples of the real-world consequences that patients may face.
As the digital frontiers expand in 2024, with artificial intelligence (AI) becoming more integral in diagnostics, patient data management, and medical tools, healthcare organizations will need to bolster their cyber risk and resilience strategies.
Rapid Digitization, Surging Data Value, and More—Healthcare Faces Distinct Cyber Risk Challenges
Despite increased focus and investment in cybersecurity, healthcare organizations continue to grapple with persistent challenges unique to their industry. Securing patient information remains a formidable task. In 2023 alone, more than 133 million patient healthcare records in the United States were either exposed or impermissibly disclosed. Additionally, vulnerabilities in connected medical devices, reliance on outdated IT systems, and the need to manage compliance with evolving regulations contribute to the complex cybersecurity landscape.
The expansion of the attack surface through digitization, connected third-party systems, and cloud adoption has further intensified cyber risks. 73% of healthcare companies store data in the cloud, of which 43% is patient or protected health information. Amidst these challenges, human error (such as clicking on a phishing email), responsible for 85% of data breaches, persists due to resource limitations and a lack of cybersecurity training for healthcare professionals.
Agile, Continuous, and Connected—Mitigating Cyber Risk in 2024 Requires a New Approach!
As healthcare systems become increasingly interconnected, the traditional siloed management of cyber risks and reliance on time-consuming manual processes are no longer effective. These outdated methods hinder the swift detection and response necessary in the face of emerging threats. In today's context, where a single phishing email can compromise millions of patient records and disrupt entire systems, the need for agility and prompt mitigation of cyber risks is more crucial than ever. Embracing an agile, continuous, and connected strategy is paramount to fortifying healthcare organizations' resilience against the rapidly evolving cyber threat landscape.
Your cyber risk management strategy in 2024 should include:
- Automating control testing with continuous control monitoring (CCM) to ensure that all controls – physical, technical, operational, and administrative – embedded across medical devices, systems, data, and networks are regularly tested.
- Cyber risk quantification to forecast monetary impact, which will aid in investment decisions, insurance calculations, and communicating criticality to non-technical stakeholders.
- Integration of third-party risk management into your cyber risk management strategy, instead of viewing it in a silo, to ensure proper due diligence, regular monitoring, and security assessments to understand your third party’s data security practices, level of compliance, certifications (e.g., HITRUST, ISO 27001), and business recovery plans.
- Harmonizing controls across multiple frameworks and standards to ensure that there are no gaps with cybersecurity frameworks like HIPAA, HITRUST, NIST CSF, and ISO 27001, and to enhance overall security posture.
- Establishing a risk-aware culture by involving everyone in cyber risk management, simplifying security policies, providing intuitive tools for reporting incidents, and conducting regular training and awareness programs.
Download an infographic on this topic to explore more: Cyber Risks in Healthcare: How to Prepare
MetricStream: Your Partner to Manage Cyber Risk and Build Cyber Resilience
In the face of these multifaceted challenges, healthcare organizations must reassess their cyber risk management practices. As the sector strives to minimize the risk of data breaches and cyberattacks, addressing complexities and building resilience becomes paramount. The journey toward effective cyber risk management requires a strategic approach, continuous innovation, and a commitment to safeguarding patient well-being.
With MetricStream CyberGRC, your organization can:
- Gain a unified view of cyber risks, compliance, policies, and issues
- Automate cyber risk and compliance management
- Accurately quantify cyber risk exposure in monetary terms
- Efficiently monitor and remediate threats and vulnerabilities
- Streamline third-party risk management from onboarding to offboarding
- Harmonize controls across multiple standards and frameworks
- Enable continuous control monitoring for improved compliance and security
- Simplify cyber policy creation, attestation, roll-out, and monitoring
Our latest eBook explores these questions and provides comprehensive insights to guide healthcare organizations toward a more secure future.
For a more detailed perspective on this topic, download our eBook:
Jump to Topic
Related Resources
Blogs
Building Business Value for and with Your IT GRC Program
- IT Risk & Cyber Risk
- 07 February 24
6 min read
Introduction
IT Governance, Risk, and Compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases, including IT risk management, IT compliance, policy management, threat and vulnerability management, IT third-party vendor risk management, and more. The core promise of an IT GRC program that integrates needs across all stakeholders is the efficient management of risk against business objectives and better business performance amid an evolving threat landscape, technological and business developments, and regulatory changes; all of which can lead organizations to thrive on risk.
While many organizations have seen benefits from their IT GRC investments, it is critical to build a case for the business value of IT GRC, in order to a) understand the true impact of the GRC program against investments made into it and b) gain enterprise-wide commitment supporting the implementation of a high-value, sustainable IT GRC program. It all comes down to one point – leveraging risk information efficiently to achieve business outcomes.
Experience shows us that those organizations that manage IT GRC as an integrated program involving people, processes, and technologies are more successful in delivering value to their organizations, compared to those that simply focus on deploying technology or processes without accounting for the larger picture. Not only does an effective, integrated IT GRC program strengthen IT governance, risk and compliance(GRC) management, but it also aligns these processes with the larger enterprise governance framework.
Understanding IT GRC Business Value
Business value is the measure of a program’s qualitative and quantitative benefits, as well as other intangible expected benefits, such as improved decision-making through better analytics. Together, these values provide a complete picture of how business performance can improve over the long run through a portfolio of initiatives.
The business value can be realized at two levels through an integrated IT GRC program:
- Integrated IT GRC across the organization – Benefits include risk-based decision-making translating to efficient risk management, higher efficiencies in operations, and improved governance and decision-making
- IT GRC within a domain – Benefits include the implementation of upgraded process and technology improvements in domains such as IT risk management, IT compliance management, policy management, threat and vulnerability management, and third-party management, which enable the domain to move away from inefficient and error-prone manual, offline methods.
It’s important to remember that any business value derived from an IT GRC program, is ongoing and continuously improving – it accrues over the years with substantial returns stacking up as the adoption of the IT GRC program grows, and as processes are continuously improved. Only when benefits are realized can the initial value proposition of the IT GRC program be achieved, but also perhaps exceeded. As these benefits become “business as usual,” new initiatives and continuous improvements will drive constant upward revisions to the overall value equation.
Benefits of an Automated and Integrated IT GRC
Let’s understand this with the help of an example.
Consider an organization’s IT risk management team of 12 people that is not able to complete risk assessments at the required depth due to the lack of time and resources. Management reporting is difficult and incomplete with only a few metrics and, occasionally, with errors that take time to be hunted down and resolved.
Let’s assume that 400 risk assessments need to be performed in the organization; of which only 200 are currently being completed with a team of 12. It can be implied that the organization can achieve the goal of performing 400 risk assessments if it increases its team size by 100%, from 12 to 24.
Further, assuming the average time to complete an assessment is 10 days, 400 assessments will be completed in 4,000 days. But, assuming 200 working days per year, the total number of team annual days is 2,400 (for a 12-member team) for 200 assessments and 4,800 (for a 24-member team) for 400 assessments.
Also, from the budget standpoint, assuming the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the total cost of 200 assessments with a 12-member team will be $400*10*200*12 = $96,00,000.
Considering the organization can increase the team size to 24, the total cost of 400 assessments would be $400*10*400*24 = $3,84,00,000.
This, however, is not realistic. An organization will not have infinite human and financial resources to continue scaling up the team and assessments to meet the growing demand, especially if it is using manual methods, spreadsheets, and emails to perform the risk assessments. What is needed is to lower the average cost per assessment and improve the efficiency of the current team by automating the process.
Improved Efficiency with IT GRC
Implementing an integrated IT GRC solution, such as MetricStream CyberGRC, can help achieve this goal. Based on MetricStream’s customer feedback and business value calculator, an organization can achieve a 66% reduction in the time taken to complete risk assessment. This is mainly attributable to:
- Use of automation to consolidate and continuously update regulations/frameworks to ensure compliance requirements are always accurate and up to date
- Use of automation in use cases such as continuous compliance, incident management, threat/vulnerability identification, and escalation, to improve the time taken per task/event
- Consolidation of threats, vulnerabilities, and controls across all risk vectors to be able to receive a wholesome picture of outstanding risks
- Effectively connecting the dots between risk, compliance, policy, and third-party risk management, where incidents/issues arising in any one stream, can be viewed as a whole, the impact assessed collaboratively, and the availability of analytics which translates to better decision-making
In the above example, where the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the organization can
- Reduce the time to complete an assessment to 3.4 days (a 70% reduction)
- Complete 400 assessments in 1,360 days and with $400*3.4*400*12 = $65,28,000, i.e., at 90% reduced cost without the need to increase the number of team members
In this example, factors such as travel expenses, errors and remediation efforts, financial losses due to fines/failures, etc. have not been taken into account. So, realistically, the cost would be much more than calculated here.
Of course, there will be costs associated with an IT GRC solution as well, such as consulting fees, people costs, technology implementation costs, and ongoing direct costs for cloud services. If the deployment is internal, the team can consider additional hardware and infrastructure costs, as well as support and maintenance costs.
But the payoff is significant. By building an integrated IT GRC program with supporting frameworks, processes, governance, information architecture, and working groups, organizations can achieve better business performance as we can see above.
IT GRC implementation is a journey that can span several months with multiple tracks/initiatives and stakeholders. It’s important to regularly review the implementation plan/roadmap and maintain a living document that demonstrates the benefits that have been realized as each initiative is launched and fully adopted.
How MetricStream CyberGRC Can Help
MetricStream CyberGRC helps organizations implement and elevate their IT GRC program with automated and autonomous capabilities, integrated approach, and advanced risk quantification and analytics. It offers several benefits:
- Significant time and cost savings and reduction in errors
- More bandwidth for the team, enabling them to focus on other high-priority areas
- 360-degree view of risk and compliance posture, risk relationships, and impact
- Effective reporting and communication of key metrics with stakeholders, regulators, and customers
- Ability to scale as per evolving business requirements
Interested in learning more? Request a personalised demo now!
Jump to Topic
Related Resources
Blogs
Empower Your Board with Cyber Risk Metrics That Matter
- IT Risk & Cyber Risk
- 22 January 24
7 min read
Introduction
The roles and responsibilities of the board of directors (boards) in ensuring the security of their organizations is expanding – both due to the increasing perilousness of the cyber risk and threat landscape and as the result of new regulatory requirements.
Boards today are interested not only in the business side of it, for example, knowing the return on investment in cyber risk management activities, but also in the technology side of it – the IT infrastructure comprising of on-premises and cloud-based assets, networks, applications, and resources, the third-party ecosystem, the cyber defense and resilience mechanism including the control environment and security measures in place, and more.
The onus to effectively communicate the security and risk-related information to the board and the C-suite in a timely and lucid manner primarily falls on the CISO. Although there is a blossoming trend of appointing Business Information Security Officers (BISOs), the key responsibilities still lie firmly with the CISO. Since boards majorly consist of non-technical executives, it is essential that this risk information is conveyed in easy-to-understand, business-oriented language, which may enable them to first, understand the true potential of risks and their impact, and second, to be able to make strategic decisions that can keep the organization protected while managing budget and resource constraints.
Lack of effective communication not only leads to insufficient or inappropriate action, but may also lead to conflicts and reputational issues and exposes the organization to higher risks. It is imperative for CISOs to choose the relevant and essential metrics to report on, which can aid in fulfilling the above requirements.
What Cyber Risk and Compliance Metrics Should be Reported to the Board?
Cyber risk and IT compliance metrics are essential not only to gauge the effectiveness of an organization’s cyber governance, risk, and compliance (Cyber GRC) strategy and program, but also to manage and effectively communicate risks to the board. They are also critical indicators of overall status, unresolved issues, and potential risk events that can adversely impact organizations.
The CISO and security team measure and track a plethora of such metrics – risk appetite and tolerance, security incidents, configurations, mean time to detect, control maturity, business continuity planning and impact analysis, employee awareness, frequency of training programs, and many more. When reporting these to the board, the CISO should be clear about the objectives behind the reporting. Since the board is responsible for implementing strategies that drive business value, they must receive and review the cyber metrics in a manner that helps them in this process.
Which brings us to the question – what information should the board be made aware of?
The most common and obvious answer is, of course, understanding the security and compliance posture. However, there are several other aspects too.
First, there is no one-size-fits-all metrics reporting template. Understanding the information sensitivity, domain, sector, size, culture, and resources of the organization should be the foundation of all such metrics reporting. As an example, the nature of data being handled, the regions being operated in, the regulations in those regions, and so on will affect the kind of metrics being reported to the board.
Further, the metrics will depend on the ecosystem of the organization. For example, if a company were to scale its operations by engaging a network of third parties, then metrics concerning such third-party activity and their SLAs must also find prominence in any reports to the board.
In another scenario, say, if a company were downsizing and facing budget cuts, the decision-makers would want to know the best way to do so without impacting the overall security posture. This would require looking at metrics such as IT team headcount, productivity, use of AI technology, IT vendors, spending on cyber projects, etc.
Another aspect to consider is the purpose of the report. There are regular review processes that help to determine the cybersecurity strategy, budget, and program. This involves metrics such as the number of security incidents in a year, the total number of critical assets, top risks, threats, and vulnerabilities, the number of access control violations, control maturity practice score, the number of critical and non-critical third parties, mean time to respond to security incidents, total third-party spend, compliance status, number of open issues, and many more. Then there are particular use-case reports such as detailing an incident or planning for a corporate acquisition/merger or entering a new line of business. In these cases, different types of reports with specific metrics need to be reported on and this should be in addition to (and not instead of) the regular reports.
How to Report – Too Many Metrics Are Not Good!
Keeping it simple always works best. Not all board members will have the technical expertise to understand the relevance or criticality of every metric that is being reported. It is therefore crucial to report the metrics in terms that anyone can interpret and understand. For example, in addition to presenting them with the risk assessment matrix, color-coded for depicting high, medium, and low risk, communicate the risk exposure in monetary or dollar terms using risk quantification.
Another best practice is to segregate the metrics into different categories, such as
- Security – detected intrusion attempts, number and severity of security incidents, time to resolve, vulnerabilities assessment results, control effectiveness, etc.
- Financial – risk appetite and tolerance, risk exposure, cost of security incidents, cybersecurity insurance, cost vs budget, etc.
- Compliance – relevant regulations, frameworks, and standards, compliance status, control effectiveness (control testing results), new regulatory requirements and obligations, volume and type of data in possession,
- Third Parties – critical and non-critical third parties, third-party scoring/rating, third-party cyber risks, compliance with SLAs, third-party incident response, etc.
- Cyber Resilience – business continuity planning, tabletop exercises, impact analysis, response and recovery, etc.
- Employee Awareness – policy adherence, training, workshops, etc.
One of the best ways to communicate technical information to non-technical people is to use analogies. As an extremely simplified example, instead of trying to highlight the benefits of ECC encryption over RSA, one can simply portray it as ECC having a 12-lever lock versus RSA, which has a 6-lever lock. The use of real-world examples can go a long way in ensuring board understanding and makes the most fact-based decisions.
Regulatory Mandates on the Board’s Role
Regulations around cybersecurity and cyber risk management are increasing quickly. In recent months, we saw the adoption of the SEC’s cybersecurity rules in the US, following the introduction of the Digital Operational Resilience Act (DORA) in the EU, to be fully adopted by 2025.
The SEC’s rules require annual reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, as well as how the board/subcommittee is informed about cyber risks. The rules, set to come into force in December 2023, are applicable to publicly-listed organizations.
For a deeper dive, read our recent blog, Achieve Compliance with SEC’s New Cybersecurity Rules.
EU’s DORA was enforced on January 16, 2023 and financial sector organizations will be required to be compliant by January 17, 2025. The act mandates the “management body” of financial entities to define, approve, oversee, and be responsible for the implementation of all arrangements related to the information and communication technology (ICT) risk management framework.
To learn more about this new regulation, download our eBook, Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act.
The Way Forward
Given the fast pace at which the cyber risk landscape is evolving, the board’s role and interest in cyber risk management will only grow. For CISOs and security teams, this will require presenting a clear, simple, and accurate picture of the Cyber GRC program. Additionally, it requires effective collaboration and regular communication between the board and the CISO to make the reporting process meaningful, streamlined, and aligned with business goals and objectives. This requires time and effort from both sides, and the best time to start is now.
To learn how MetricStream can help with cyber metrics reporting to the board, contact us today!
Jump to Topic
Related Resources
Blogs
Navigating 2024: Top Cyber Risk Trends That Must Be on Your Radar
- IT Risk & Cyber Risk
- 06 December 23
5 min read
Introduction
It has become trite to say that cyber risks are evolving at a fast pace or that it has become a top area of concern for organizations. Businesses today are required to navigate not just the digital era but the era of cognitive intelligence and generative AI (GenAI). While these technological advancements are helping organizations significantly improve their cyber risk management and gain process efficiencies, the easy access to these tools has made them a favorite among bad actors and cyber adversaries who can use them as easily to plan and launch sophisticated attacks with far-reaching consequences.
The best cyber risk management strategy is to ensure that innovation and security measures go hand in hand. But in practice, it is not so. In an IBM survey, while 94% of CEOs said that it is important to secure AI solutions before their implementation, 69% said that innovation takes precedence over cybersecurity for GenAI.
While AI is on everyone’s mind as we step into 2024, what are the other cyber risks that organizations need to prepare for? Before we get to that, here’s a quick recap of the major happenings from 2023 for all things cyber.
The Cyber Governance, Risk, and Compliance (Cyber GRC) Whirlwind in 2023
One of the most important cyber developments in 2023 was undoubtedly the adoption of the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules for public companies by the U.S. Securities and Exchange Commission (SEC). Though there are a lot of unanswered questions and “grey” areas regarding determining the “materiality” of a cyber incident or terms like “without unreasonable delay”, it is a landmark regulation nevertheless and a step in the right direction.
For deeper insights into the new rules, you can read my previous blog “Achieve Compliance with SEC’s New Cybersecurity Rules” or leave a comment below to let us know your thoughts.
With AI implementation gathering steam across sectors, the National Institute of Standards and Technology (NIST) released the AI Risk Management Framework in January 2023. The framework is intended to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.”
We also saw the Digital Operational Resilience Act (DORA) being enacted in the European Union on 16 January 2023. EU-based financial sector organizations will be required to demonstrate DORA compliance from 17 January 2025. Aimed at enhancing the digital operational resilience of financial sector entities, DORA covers key areas including ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, the management of ICT third-party risk, and cyber threat information sharing.
Our eBook “Demystifying DORA: Understanding and Preparing for the EU’s Digital Operational Resilience Act” discusses various aspects and requirements of DORA in detail.
Throughout the year organizations around the world also faced a growing number of cyber attacks and data breaches. Some of the major ones include the hack of MOVEit which affected over 1000 organizations and the personal data of at least 60 million individuals, the distributed denial of service (DDoS) attacks on a number of banks across Italy, ransomware attack on entertainment company MGM Resorts which led to operational disruptions, uncovering of a 38 terabyte data leak at Microsoft that happened in 2020, data breach at the Indian Council of Medical Research (ICMR) which exposed the personal data of 815 million Indian residents, and many more.
What to Expect in 2024?
It goes without saying that the cyber risks will increase in number, sophistication, and severity. Here are some of the top Cyber GRC trends for 2024:
- Heightened Business and Regulatory Focus on AI
The overall trend of AI and GenAI innovation is expected to continue and gain more momentum in 2024 with competition becoming fiercer and regulators worldwide rolling out AI-focused regulations and frameworks in an attempt to ensure that innovation is supported by effective security and governance measures. - Automated and Continuous Approach to Cyber GRC
Specifically in the field of Cyber GRC, more and more organizations are expected to embrace automation for risk and compliance management processes and AI-powered predictive analytics to navigate the rapidly intensifying cyber risk and regulatory landscape. This includes capabilities to perform autonomous risk assessments and value-based quantification, continuous control testing with immediate remediations, automated compliance, and more. - Continued Focus on Third-Party Cyber Risks
Third-party cyber risk management will also be a core focus area of CISOs and security teams with growing digital dependencies of organizations on SaaS solution providers, cloud service providers, and technology providers, among other third parties in the ecosystem. 2023 saw continued trend of exploiting third parties to gain access to target organizations. Proactively identifying the potentially vulnerable areas, points of failure, and blind spots throughout the third-party risk management life cycle has become more important than ever as can also be evidenced by the introduction of strict regulations to govern their activities. - Increased Cybersecurity Investments
Given the growing frequency, scale, and sophistication of cyber attacks, organizations will be significantly ramping up their cybersecurity and risk management investments. Gartner estimates global spending on security and risk management to reach $215 billion in 2024, making it a 14.3% increase from 2023.
With this background and while the future can be uncertain, we’ve compiled our thoughts on the top 7 cyber risk trends that organizations need to be aware of and prepare for in 2024. Check out our infographic on the top 7 cyber risk trends, which discusses these trends, what to expect, and how to prepare in more detail.
Download now: Top Cyber Risk Trends in 2024 and Beyond
Getting the Cyber Defenses Up
We at MetricStream are hard at work to help organizations stay one step ahead of cyber risks. 2023, in particular, has been a milestone year as we rolled out a number of solutions and capabilities to help organizations drive an effective Cyber GRC strategy. These include:
- AiSPIRE, the industry’s first AI-powered, knowledge-centric GRC, which continuously senses and identifies risk, audit, and control deficiencies, duplicate risks and controls, patterns of over and under-testing of controls, and enables proactive planning and prioritization of risk assessments, control testing, issue, and action planning.
- Autonomous Control Testing which automates control testing across IT compliance controls and reduces risk by assessing controls across the entire population.
- Integration with AWS Audit Manager which simplifies and consolidates IT compliance management through automated control testing and evidence collection of all firm-wide controls, including on-premises and multi-cloud environments.
To explore MetricStream’s cyber risk and IT compliance management capabilities and to prepare for the trends of 2024, request a personalized CyberGRC demo today!
Jump to Topic
Related Resources
Blogs
CyberGRC Just Got More Powerful with AWS Audit Manager
- IT Risk & Cyber Risk
- 22 November 23
3 min read
Introduction
As businesses migrate to the cloud or expand their cloud adoption, security risks and compliance are always among the chief concerns, and critical challenges that must be addressed, especially in today’s volatile risk climate.
AWS Cloud users have access to AWS Audit Manager, which continuously audits AWS Cloud service usage, and streamlines the assessment of risk and compliance with regulations and industry standards. Audit Manager automates evidence collection to assess operational effectiveness of internal controls frameworks and provides audit-ready reports. It’s a powerful tool. And it just got more powerful, by integrating MetricStream’s CyberGRC solution.
In addition to cloud infrastructure controls, almost every organization has application-specific controls and organization-specific policy and procedure controls with which they also need to demonstrate compliance. Even AWS Cloud customers often have requirements for infrastructure controls for other cloud providers and on-prem solutions. Often these controls are maintained and assessed manually, in Excel sheets, with point solutions, or using GRC tools that are not integrated with AWS Audit Manager. These manual processes are resource-intensive and themselves fraught with risk.
Now, with the integration of CyberGRC, AWS Audit Manager customers can automatically solve their IT and compliance challenges and lower their cyber risk exposure. And for existing CyberGRC users already on AWS, the integration with Audit Manager brings automated evidence collection, to afford a complete view.
Finally, a Centralized View
AWS Audit Manager users will now be able to demonstrate compliance not just with AWS Cloud infrastructure controls, but also with custom controls, application-specific controls, and controls for multiple cloud providers, as well as benefit from MetricStream’s complete suite of cyber risk, policy, and compliance and functions.
So, instead of trying to manage reporting from multiple systems, users will finally have a centralized repository and view of control results – from AWS Audit Manager and across other controls – in one place, including automated evidence gathered from AWS, as well as control data and evidence stored in CyberGRC.
The benefits of this integration are clear:
- The ability, finally, to access and maintain all required controls, test results, evidence for all cloud environments and on-prem in one place, breaking down silos to accelerate decision-making;
- The ability to automate testing and evidence gathering of AWS infrastructure controls, reducing the manual effort required in testing and gathering evidence;
- The reassurance that all control test results and evidence from AWS Audit Manager will get automatically updated in MetricStream;
- Easily demonstrable compliance across AWS, on-prem and other cloud environments.
In short, the co-innovation between MetricStream’s CyberGRC solution and AWS Audit Manager will not only reduce risk and maintain compliance across all systems in real time, it will also create organizational efficiencies by reducing manual processes and breaking down internal silos. It is a major step forward in IT Risk and Compliance for cloud-based businesses.
The above blog was originally published as an article by the author on LinkedIn. Read the original version here.
Learn more about the MetricStream CyberGRC and AWS Audit Manager Integration.
Download the Tech Brief: Automate Control Testing and Evidence Collection with AWS Audit Manager and MetricStream CyberGRC
Jump to Topic
Related Resources
Blogs
Cyber Attack Alert: The Invisible Enemy Could be Sitting Next to You
- IT Risk & Cyber Risk
- 21 November 23
3 min read
Introduction
While cyber attacks remain the plague of the modern corporate world, there are historical similarities that date back to a pre-computer era.
In 1988, Cornell University graduate Robert Morris was the first person to be successfully charged under the Computer Fraud and Abuse Act. It could however be argued that the first actual cyber-attack was launched over 150 years earlier by French brothers François and Joseph Blanc.
In the 1830’s the equivalent of the internet was the telegraph. This used semaphore to deliver vital government communications as well as share prices from the Paris Stock Exchange.
The brothers hatched a plan to ‘front run’ the markets by hiring an agent in Paris to deliver coded messages disguised as packages to the telegraph operators. If the paper wrapping was white, the market had gone up, if the wrapping was grey then the market had moved down. They bribed telegraph operators to send messages based on the colour of the wrapping. The messages were disguised as deliberate errors that would be disregarded by operators. The brothers hired an agent who understood what an ‘error’ signal looked like. He sat on an adjacent hill and read the signals as they came in revealing the market news.
The brothers exploited the markets for 2 years and made a significant sum of money. When the scam was exposed, they were arrested for bribery. Back then, France had no laws against the misuse of a telegraph system, and they were only forced to pay court costs. This meant they got to keep their ill-gotten gains.
I know what you’re thinking…but, I can confirm that this loophole was rapidly closed!
We are still faced with the same issue even with modern advances in technology. There are still those who are willing to exploit others for their own gain. Organizations and legislature are lagging the curve and stuck in a constant battle of catch-up.
In 2021, Gartner forecasted that spending on Security and Risk Management would exceed US$150 billion. This is a drop in the ocean considering the cost of cyber-crime is estimated to have breached the US$1 trillion mark. Yet despite this, technology phishing attacks remain the most common hacking technique.
Building Cyber Resilience with CyberGRC
Ensuring organizations stay ahead requires proactive risk assessment, mitigation, and monitoring of IT and cyber risks, threats, and vulnerabilities, across various IT compliance requirements. MetricStream’s CyberGRC solution can streamline cybersecurity efforts to actively manage cyber risk and support cyber resilience.
Built as an intelligent, intuitive, and interconnected program, CyberGRC enables your organization to:
- Harmonise controls across multiple IT regulations and frameworks, improving compliance and saving effort and costs
- Quantify your cyber risk in monetary terms to analyse and communicate risk and better prioritise cyber investments
- Automate continuous control monitoring, enabling you to collect evidence of security control effectiveness
- Collate data from across the enterprise, including third and fourth-party vendors, which can then be transformed into actionable business intelligence to support data-driven decision-making
- Correlate vulnerabilities with IT assets, and prioritize remediation efforts based on the highest levels of threats leading to improved efficiency and increased assurance from your tech partners
Although your cyber risk and security tools may be sophisticated, phishing requires one simple lever - the ignorance of human beings. There are many different risk factors to manage, minimize, and protect against. It does make you think - could the invisible enemy be sitting next to you?
Want to learn more on how you can build your organization’s cyber resilience? Request a demo now.
Check out more resources related to cybersecurity:
The Ultimate Guide to Cyber Security and IT & Cyber Risk
Jump to Topic
