The business case for protecting crown jewels in cyber security

Technology mission-critical assets are known as ‘crown jewels’. These are high value assets that would cause the most business disruption if compromised. Anything of value attracts the attention of criminals and this no different in cyberspace. Information Technology systems and data make up a significant portion of an organisation’s Crown Jewels. These could be trade secrets, intellectual properly, company or customer data as well as operational and financial systems. 

Organised cybercrime is the largest threat and is a lucrative and growing business. Common threats are ransomware, data breaches, malware, and phishing. The impact of Cybercrime in 2021 is estimated to be 1 Trillion USD. A major ransomware group, REvil was recently taken out by Russian authorities. (1)

Many organisations have the basics in place but lack a formal framework to manage and reduce Cyber Risk. In some cases, key areas are neglected. There is no effective visibility of key cybersecurity metrics. This translates to leaving the ‘cyber gates’ wide open, making for an attractive target.

Costs to recover from physical or cyber incidents can be more expensive than the cost of preventing such events. These costs are quantifiable but damages to reputation and customer or shareholder confidence is difficult to assess and can be long term. The costs of a data breach can run into the millions. This includes costs for: detecting a breach, business disruption, revenue losses from downtime, cost of lost customers and acquiring new ones, breach notification and response activities.(2) Employee safety is a non-negotiable but can be compromised by cyber threats to Operational Technology.

Physical or real-world threats such as burglary, vandalism, fire and flooding are well understood. Money is spent on fences, alarms, security guards, fire detection and suppression. This protects physical assets against the potential business disruption, loss of revenue, customer confidence and even business closure in extreme cases.

The Financial Sector Conduct Authority (FSCA) has acknowledged the risks in South Africa today: “The biggest challenge to every institution today is the frequency and sophistication of targeted cyber-attacks, with perpetrators continually refining their efforts to compromise systems, networks, and information, worldwide. Cyber-attacks have been targeted at critical infrastructure and strategic industry sectors such as the financial sector.” (3)

The South African Information Regulator views data breaches seriously and the POPIA (Protection of Personal Information act) allows for a fine of up to R10 million or imprisonment up to ten years. 

The World Economic Forum views “Cyber risk is a systemic challenge and cyber resilience a public good. Every organisation acts as a steward of information they manage on behalf of others. And every organisation contributes to the resilience of not just their immediate customers, partners and suppliers but also the overall shared digital environment”

1. Establish Cybersecurity as a business priority with a clear vision and responsibilities. Cyber resilience is a leadership issue. The board takes ultimate responsibility for oversight of cyber risk and resilience.

2. Establish sound and robust processes for managing cyber risks.

3. Identify mission-critical information assets or crown jewels - Understand which Key Business Areas (Processes, People & Technology Assets) are at Risk.

4. Conduct a Cyber Risk assessment using a best of breed frameworks covering Cybersecurity, privacy and Resilience. Assess the main adversarial threats to the crown jewels.

5. Determine & implement the most appropriate method to protect the Crown Jewels. Build a prioritised roadmap to adopt cybersecurity fundamentals to preserve confidentiality, integrity and availability of data and Information Technology systems.

6. Build internal competencies to maintain cyber resilience capability and to be adequately prepared to deal with cyber threats.

7. Initiate a shift in employees’ mindset to enable a culture of continuous security improvement into all and all aspects of business processes via continual awareness training.

8. Monitor effectiveness and make appropriate improvements as needed – Undertake systematic testing and assurance regarding the effectiveness of security controls. Examples are Penetration testing and third-party supplier risk assessments.

9. Prepare for incident response and notification of material cyber incidents to the regulated entities or Authorities.

• Ensure customer retention and confidence by demonstrating you value their business and data. 
• Ensure sustainability of operations, financial stability and competitive advantage. 
• Protect the interests of shareholders. 
• Provide a holistic approach to minimise the risk of business disruption and financial losses. 
• Improved visibility of cybersecurity posture & maturity. 
• Demonstrate duties of care by being aware of potential risks and implementing appropriate controls. 
• Demonstrate good governance & avoidance of potential liability actions. 
• Provide evidence that appropriate action was taken. This is essential in the event that a cyber breach occurs. 
• Reduction in Cybersecurity insurance premiums 

Please contact me to share your ideas, if you have been breached or need help – bryan@wolfpackrisk.com or https://alertafrica.com/report/. You can also report breaches at the National Computer Security Incident Response Team (CSIRT) at cshubcsirt@cybersecurityhub.gov.za

1 Reuters, Jan 2022, Russia takes down REvil hacking group at U.S. request – FSB, https://www.reuters.com/technology/russia-arrests-dismantles-revil-hacking-group-us-request-report-2022-01-14/

2 IBM Security and the Ponemon Institute, 2021, Cost of a Data Breach Report 2021– 2021 https://www.ibm.com/security/data-breach

3 https://www.fsca.co.za/Pages/Default.aspx

4 www.wolfpackrisk.com