The Risk Management Shell Game
Being in risk management today feels as much like a shell game at times as it does a strategic undertaking. We feel like we have our arms around likely risk factors and how to measure, monitor, and prepare for them, as well as how to have a solid posture on response when our defenses fail us, which at times they inevitably will.
Regardless of your preferred acronym for the space – GRC, IRM, or now even ESG – risk is at the center. There are many types of risks, either known or unknown. Risks are considered known when you understand the vulnerability, have taken reasonable precautions, and still accept the fact that it may occur and has a cost associated. With known risks, you can insulate or insure yourself to cover the unlikelihood of exposure. You accept the “cost of coverage” as a percentage of the cost of exposure, make a business determination, and move on. You monitor for it and pay your premiums, hopeful that your defenses, although not 100% perfect, will suffice and that your coverage will be adequate in that unlikely event. Sometimes that coverage is as direct as a literal insurance policy, other times not.
How do you prepare for unknown risks?
That’s more difficult. To avoid as many unknown risks as possible, we risk management professionals try to be even more comprehensive in determining known risks. With each one we add to the list, we theoretically shorten the list of unknown risks.
As hard as we work to manage known risks, the bad actors of this world are on the prowl to exploit unknown risks. We’ve seen this recently in the explosion of ransomware. Ransomware was an escalation of data theft. As data theft became more common, we all put up greater barriers to stop the attack. In many cases, very successful defenses have driven the bad actors to new targets. Nowhere is this better demonstrated than with ransomware attacks.
Rather than steal your data, our reliance on technology makes it easier now to block your access to your data. So don’t rob the bank, just change the lock on the vault and hold the new combination ransom! Bad actors use similar techniques, finding and exploiting vulnerabilities. They have a different objective – blocking your access versus stealing your data - with a similar outcome. Ill-gotten gains by exploiting those vulnerabilities.
No doubt that the same kinds of companies that build mighty defenses against data breach attempts will turn their time and talent towards defending against the exploitations that lead to successful ransomware attacks. Through those efforts, they will help shore up corporate defenses, and in many cases they have. REvil, the alleged assault perpetrator of the recent Kaseya attack, has taken a new leap in two ways, essentially expanding the pool of threats.
First, technology emerged to unlock encrypted files that had been locked by ransomware which allowed companies to bypass the ransom and unlock their files. How did REvil respond? By not only locking files for ransom but also stealing data as collateral. A simple message – “Pay us $70 million to unlock your files, or we release the data we stole.” Bypassing the ransom and using legit technology for the de-encryption triggered a potentially worse outcome. The evolution of evil.
Secondly, REvil essentially became a SaaS software provider, licensing their ransomware attack software to less sophisticated syndicates. This is the part that really got my attention. Several states have made the use of ransomware software a crime, and others the mere possession a crime. But with developers around the world in any number of jurisdictions, there is no universally accepted standard to make the simple creation of or possession of ransomware illegal.
Until that happens, ransomware, or the son of ransomware, or whatever its next evolution is, is still the greatest unknown threat that risk professionals face. The democratization of its use by progressively smaller and less sophisticated bad actors makes it increasingly common that your company or agency will eventually feel the brunt of it.
The ETHIX360 blog brings you weekly updates on all things human resources and compliance.
MEET THE AUTHOR
J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.
ABOUT ETHIX360
At ETHIX360, our goal is simple: to provide an affordable, flexible, and comprehensive answer to employee communication, policy management, corporate training and case management on issues related to corporate ethics, code of conduct, fraud, bribery, and workplace violence.
