The growing complexity of our interconnected digital systems has created a new type of worldwide risk every organization must understand. Major failure of any of the connected points could have a broad ripple effect, affecting multiple organizations. Systemic risk — a risk stemming from one part of the system threatening to damage the whole — is an emerging concern that chief information security officers (CISOs) and boards of directors must recognize.
The Log4j vulnerability is one of the recent examples of systemic risk stemming from the supply chain, showing how a single piece of software could put critical systems across the world in jeopardy. A recent report by the U.S. Department of Homeland Security's Cyber Review Board called the flaw "endemic," assessing that significant risk from vulnerable Log4j instances will remain for at least another decade. While no cyberattacks have been attributed to Log4j yet, security researchers have observed attempts by hackers to exploit the vulnerability as recently as August 2022.
What Is Systemic Risk and Why Does It Matter?
The Digital Directors Network, recognized for its systemic risk framework, describes systemic risk as "the threat that component failure in a complex system will cascade and jeopardize the much larger system." A report from the Carnegie Endowment for International Peace and the Aspen Institute has a similar definition of systemic cyber risk, though more narrowly focused on cyber: "the possibility that a single event or development might trigger widespread failures and negative effects spanning multiple organizations, sectors, or nations." Further, the report notes that "the possibility that a single failure somewhere in cyberspace could cause widening ripples with catastrophic consequences" is a growing concern.
We saw such catastrophic consequences after the 2017 NotPetya malware attack, which spread rapidly to systems around the world and ultimately caused an estimated $10 billion in damages. As organizations continue their journey of digital transformation and moving much of their infrastructure to the cloud, their dependence on the various SaaS providers grows exponentially. Systemic risk becomes inherent in any modern organization.
Any system we trust with access to our data, whether it is our own internal architecture, that of our SaaS vendors, or that of our network of partners, creates inherent systemic risk. And this risk can come from any single point because any single point can fail.
Addressing Systemic Risk Is an Even Bigger Challenge Than Cyber Risk
Many organizations are still trying to figure out how to address their cybersecurity risks, and systemic risk makes that a much tougher challenge, especially since it's more difficult to detect. Now that the data center is a global mesh, spread across different SaaS platforms with data everywhere, the inherent risks that we must think through are completely different — things are no longer completely under our internal control.
Addressing systemic risk requires an approach that's distinct from the perimeter-focused strategy that many organizations used in the past. We must shift our view and think through the lens of business enablement. That means that rather than looking at the perimeter, we should think about our organization's business values and what matters the most to its executive team and the board — pause and consider all the technologies wrapped around the core business-enablement functions.
Take your enterprise architecture as an example. What are the various tools you need to mitigate various risks? How are all those tools connecting or interconnecting to one another? Where are the potential risk failures in that interconnectedness? Where are the potential weaknesses and systemic risk stemming from that interconnectedness? Those are the layers you should think through holistically, because the failure of any single point could lead to the failure of the bigger system.
People Are a Core Component of Systemic Risk
One of the biggest intrinsic risks within an organization is its people — this can't be underscored enough. The latest Verizon Data Breach Investigations Report shows that the human element is involved in 82% of data breaches. Tactically, this is the area where you need to start addressing systemic risk.
Every individual is an attack vector and one of the most vulnerable targets within your ecosystem. Threat actors are exploiting this attack surface constantly. It's imperative for you to hone in and understand five critical aspects:
- Which individuals create the greatest risk within your organization
- Who is being attacked and why
- How is everyone being attacked
- How likely is for various individuals to become compromised
- What impact could that compromise have on your entire organization
By answering these questions and mapping every individual's systemic risk profile, you can create a comprehensive picture of people-centric systemic risk. This enables you to prioritize risks and optimize your mitigation strategies and controls based on those risks that are more likely to lead to systemic failure.
An example of a people-centric systemic risk that we're currently seeing is "the great reshuffle" across the board as people leave organizations at a large scale. They are leaving with the data of their organization, which increases the risk of insider threats. A recent Proofpoint survey of security leaders found that 56% of them view human error as the biggest threat to their organization, with compromised insiders as the most likely vector. The lingering effects of The Great Resignation only worsen this concern.
Many organizations still struggle with foundational cybersecurity, and adding systemic risk to security leaders' agendas feels like a tall order. Indeed, you must solve many of your basic problems before you can even start thinking about more strategic and holistic issues. But the need to address systemic risk will become more urgent, and eventually it will be an expectation as organizations reach a certain level of security maturity. Security leaders and boards shouldn't wait for that moment and must begin this conversation now, embracing their opportunity to elevate the discussion about cyber risk.
Lucia Milică is Global Resident CISO at Proofpoint.
