Reputational Risk … The Highest Consequence Category?
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
The classic 5 x 5 risk matrix with consequence broken out by category: financial, health & safety, customer impact, and reputation. Create scenarios and see where they fall on the martrix, with the ever present challenge of determining likelihood.
The first surprise, many of the scenarios are acceptable risks in the matrix for financial, health & safety, and customer impact consequences. We often wrongly believe any outage or OT cyber incident is unacceptable. It’s not desired; it is a failure of security; and there are likely other events during the average year that cause a greater consequence that have become accepted risks.
The second surprise is that the perceived impact to the company’s reputation of these scenarios, as viewed by executive management and often the operations and cybersecurity teams, falls in the red. It’s unacceptable risk that must be reduced.
The kneejerk reaction is to reduce the likelihood of the scenario. What new security controls can we, should we deploy? The best answer in this situation is more likely consequence reduction. How do we reduce the reputational impact of the incident occurring?
领英推荐
If the scenario has a medium to low consequence for the other consequence categories, then there is a mismatch between perception and reality that should be addressed. This perception needs to be addressed in two areas:
This is partially a maturity issue and partially a culture issue. Maturity will come as OT cyber incidents become less rare and if they remain a small consequence compared to other factors such as weather, pandemic, workforce and supply chain. Culture is tougher because the security industry is largely responsible for hysteria. We will need to rein ourselves in.
Senior OT Cybersecurity Consultant
1 年It is eye opening to see how little data breaches affect longer term stock prices, even for huge breaches that stayed in the news for weeks during the last decade.
Senior Program Manager at Microsoft | Cybersecurity | IoT / OT / ICS / IIoT | Transforming and Securing the Unmanaged |
1 年The impact of an OT cyber incident reaches far beyond just the technical aspects. It can have significant repercussions on an organization's reputation, employee morale, and even leadership changes. Thank you for bringing this crucial topic to light. The fallout from such incidents can be detrimental to the trust and confidence that stakeholders, clients, and partners have in the organization. Moreover, the impact extends to the workforce itself, and even leadership changes often follow significant cyber incidents.
Cyber-Physical Risk Expert | Founder Cyber-Physical Risk Academy | Consultant, Speaker, Trainer, Publisher | Operational Technology | Masterclasses | Training | 45+ years in process automation. OT security focus.
1 年Dale Peterson how can image be more important than life? For me image is a variation on financial loss, a long term financial loss reoccuring over a period of time.
Cyber-Physical Risk Expert | Founder Cyber-Physical Risk Academy | Consultant, Speaker, Trainer, Publisher | Operational Technology | Masterclasses | Training | 45+ years in process automation. OT security focus.
1 年When we talk about Oldsmar, and how their cyber incident response plan worked exactly as designed, I am puzzled. The Oldsmar water treatment plant, a small facility serving approximately 15,000 people, gained global attention due to the potential risk of a cyber attack aimed at contaminating the water supply. Despite the effectiveness of their protection systems, it is alarming that such an insignificant facility made headlines worldwide. In my opinion, the issue lies not in the technical aspect of their incident response process, but rather in their communication strategy, which clearly failed. The damage to the company's reputation is significant because people now associate Oldsmar Water Treatment plant not with delivering clear and safe water, but rather as a victim of a scary security attack. Whether the association is true or false is irrelevant; the negative link between the plant and the incident is detrimental. This situation echoes the Stuxnet and Siemens scenario where their names became intertwined in a negative way. If this does not indicate damage to a company's image, then what does?
? Founder & Managing Director at BxC Security | ???Cybersecurity and IT/OT Transformation | ?? Guest Lecturer at HM München for ICS Security
1 年From observing various IT and OT incidents, reputational risk is mostly overrated. The memory of customers, stakeholders, and stockholders is simply too short, or options for replacement are too limited to have a long-term incident. This is an example from the IT world, but how often did Marriot get hacked? Seven times since 2010. ?? And these are only the ones that made it into the news. (sidenote: One of them resulted in 383 million guests and resulted in a $100 million class-action lawsuit in Canada and an £18.4 million fine by the UK's which is incredible when it comes to impact). So what about the reputational damage? Well, today, the stock price is at a nearly all-time high. This means Marriot's services are being consumed, and stakeholders and stockholders did not perceive these seven incidents as so bad that they would pull their trust in Marriot? At least not in the long term. This is just one example, but you can find so many similar cases. So the question is. Is reputation overrated when it comes to cyber breaches? Are breaches of this kind actually a good time to buy stocks of the attacked company? ??