Systemic risk has become something of a buzzword in cybersecurity circles in recent years. But while many are now familiar with the term, its definition and scope can vary significantly.
A report from Carnegie Endowment for International Peace and the Aspen Institute, for example, defines the concept as “the possibility that a single event or development might trigger widespread failures and negative effects spanning multiple organizations, sectors, or nations.” Digital Directors Network, known as a leading voice on the topic, describes systemic risk as “the threat that component failure in a complex system will cascade and jeopardize the much larger system.”
Naturally, the more complex a system, the greater the risk that one single event can have a domino effect, cascading far and wide through organizations, supply chains, and infrastructures.
Unfortunately, complex systems are often the rule rather than the exception. Most organizations and institutions, including those critical to national infrastructure, operate across a patchwork of new technologies and legacy systems, with in-house, cloud, and third-party setups. So, the challenge of protecting these sprawling ecosystems is almost insurmountable.
But chief information security officers (CISOs) must overcome this challenge quickly, as the issue of systemic risk is now firmly in the spotlight. The consequences of systemic risk run far and wide, from service interruption and data loss to brand damage and multimillion-dollar regulatory fines. Just one broken link in your chain can expose your business to these repercussions—and much more.
The sprawling impact of systemic risk
The concept of systemic risk is by no means new. However, as we become more reliant on digital, connected, and multi-layered systems, the scope of this risk is increasing dramatically. As a result, there are numerous examples of a single failure putting businesses, services, and even lives at risk.
Take the SolarWinds incident. What started as an injection of malicious code within a private organization quickly spiraled to impact the services of government departments and Fortune 500 companies. Soon after, it became a full-fledged international incident with the U.S. government imposing sanctions on Russia. And with the company accused of not fully understanding its level of exposure to systemic risk, its current and former board members are still facing legal and regulatory fallout to this day.
This incident highlights the pivotal role of people as systemic risk. With over 90% of cyber incidents requiring human interaction, it may take just one click to unleash a world of issues that far exceed the reach of your organization. When the stakes are this high, it’s essential for your users to be equipped to handle such a responsibility.
The number one risk factor: your people
People are the number one risk factor when it comes to systemic risk, whether they’re in your organization or at a third party in your supply chain. It takes just one malicious insider or insider threat, one errant click, or one reused password to kick-start the domino effect. So, first and foremost, you need total visibility into who is accessing your data—when, where, and how.
The more you understand your people and their activities, the more protections you can put in place to help them defend your organization. While perimeter fences and filtering systems are vital, protections must extend beyond those. The onus is on security teams to educate employees on their role in protecting company data and the wider risk exposing that data.
By building a cyber-aware culture throughout your supply chain, you can change the kinds of behaviors that open the door to threat actors from wherever they may originate. That means providing adaptive, ongoing, and comprehensive security awareness training targeted to those users who need it most.
This is no longer just a matter for your IT team. Organizations now have a civic, perhaps even a moral, duty to minimize and mitigate risk wherever possible. As the Chief Justice of the Delaware Supreme Court recently put it, organizations must “demonstrate credibly that they are thinking proactively about systemic risk.” If your organization isn’t, it could soon face consequences that stretch far beyond the walls of the boardroom.
Discover New Perimeters—Protect people. Defend data.
Want to read more articles like this one? Access the latest cybersecurity insights in our exclusive magazine, New Perimeters. This publication is available to browse online, download to read later, or receive in print directly to your door. You can get your free copy of New Perimeters, the exclusive magazine from Proofpoint, here.
Proofpoint CISO Hub
Visit our CISO Hub to get regular updates on cybersecurity research, insights, and resources specifically for the global CISO community.