Subscribe
About

Factoring harm as part of a risk-based approach

By Tracy Burrows, ITWeb contributor.
Johannesburg, 04 Jun 2025
Andy Kennedy, senior solutions engineering manager, UK, Ireland and SA at Cloudflare.
Andy Kennedy, senior solutions engineering manager, UK, Ireland and SA at Cloudflare.

Risk should not be the only consideration when organisations move to mitigate cyber threats – they should also focus on the potential harm an attack could cause.

This is according to Andy Kennedy, senior solutions engineering manager, UK, Ireland and SA at Cloudflare, who was addressing the ITWeb Security Summit in Sandton this week.

Kennedy said: “Organisations typically take a risk-based approach to cyber security, but risk is seen from our perspective of how it affects us – not the harm it causes others.”

He noted that this outside-in approach undermined efforts to make organisations more customer-centric. “In risk-based approaches, we talk about our own financial risk and potential penalties, but we overlook the harm it could cause. This should be something we think about more,” he said.

He highlighted Cloudflare’s work on Project Galileo, which offers cyber security services free of charge to organisations supporting the arts, human rights, journalism and democracy, protecting over 2 900 vulnerable internet properties that are the targets of DDOS and other cyber attacks.

Another example of Cloudflare’s efforts to mitigate harm is its work with Flo Health, a female health and well-being app that focuses on menstrual cycle tracking, ovulation and pregnancy. To mitigate the risk of legal action in countries and regions where women’s reproductive rights are under threat, Cloudflare and Flo have collaborated to guarantee the anonymity of individual users. “This has profound implications for women across the world who could face harmful consequences if they use the app,” he said.

“When we think about risk, we need to think about how we protect those that are most vulnerable to cyber risk.”

Share