Don’t Overlook the Business Risk in BRI

A business risk intelligence (BRI) program requires many components about which I’ve written previously: the right intelligence requirements, collection strategy, KPIs, vendors, collaboration, and stakeholder support. But there’s another component that, though it may seem obvious, is among the most foundational yet also the most frequently overlooked: a comprehensive understanding of business risk.

As security practitioners, we often think about business risk in terms of threats, vulnerabilities, and the extent that they could impact the assets we’ve been entrusted to protect. But it’s important to remember that business risk encompasses more than just security. And in order to execute a BRI program effectively, we need to be able to understand, measure, and mitigate business risk not only through a security-focused lens but also through a business-focused one. Here’s how:

Know the five categories of business risk

Business risk is broadly defined as the possibility that a business will incur a loss due to uncertainty. Although there are seemingly countless uncertainties inherent to running a business, most tend to fall under one or more of the following categories:

● Financial risk reflects the likelihood and extent that a business could experience financial loss due its capital structure and/or financing. Changes in interest rates, foreign exchange rates, or a business’s debt-to-equity ratio are common factors that can influence financial risk. Although all categories of business risk can have financial implications, financial risk refers solely to implications of how a business handles money.

● Compliance risk refers to the penalties a business could face if it fails to comply with requisite regulations. These penalties can vary immensely and range from minor fines to serious legal action. But regardless of a business’s regulatory environment—which tends to depend primarily on its location, size, and industry—many compliance risks can arise due to largely unforeseen circumstances such as data breaches, technical failures, or sudden legislative changes, for example.

● Strategic risk entails the potential loss a business could incur in the event that any aspect of its strategy becomes less effective for any reason. Increased competition, demand fluctuations, and technological limitations are among the many circumstances that can hinder the efficacy of a business’s strategy and thus affect its bottom line.

● Reputational risk encompasses the consequences a business could suffer due to reputational damage. Product recalls, lawsuits, security incidents, and other types of bad publicity are common examples that can erode trust in a business and therefore result in revenue losses.

● Operational risk is the risk of loss due to unexpected errors or damages caused by people, processes, external events, or anything else that interrupts a business’s core operations. Operational risks are numerous and can range from natural disasters and physical infrastructure damage to fraud, cyberattacks, and supply chain vulnerabilities, among others.

Reduce uncertainty through anticipation and preparation

Once you’re familiar with the categories of business risk, it’s important to incorporate them into your BRI program and operations. Keep in mind that business risk is fueled by uncertainty—so in order to reduce business risk, we need to apply BRI in a manner that reduces uncertainty. Although BRI can’t diminish each and every uncertainty inherent to business, what it can do is help us to better anticipate and prepare for uncertain situations that contribute to business risk. 

For example, let’s say an online retailer has faced a series of DDoS attacks resulting in substantial downtime for its website. In response, the retailer wants to apply BRI to help it anticipate, prepare for, and ultimately reduce its risk of disruption from future attacks. But in order to achieve this objective, a BRI operation would first need to consider how previous DDoS attacks have impacted the retailer’s business risk across each category, as follows:

● Financial risk: The DDoS attacks had no effect on the business’s capital structure and thus did not impact its financial risk.

● Compliance risk: The retailer’s compliance requirements include GDPR and PCI DSS, neither of which were violated due to the DDoS attacks.

● Strategic risk: The DDoS attacks did influence strategic risk because the retailer’s strategy is largely dictated by its e-commerce business model. Customers were unable to browse, shop, or make purchases on the retailer’s website during the DDoS attacks, thereby resulting in lost revenue. 

● Reputational risk: The DDoS attacks inconvenienced and upset customers who sought to access the retailer’s website during outages. Many such customers expressed their frustration on social media, attracting significant negative attention to the company, eroding consumer trust, and ultimately exacerbating revenue losses.

● Operational risk: The retailer was unprepared for the attacks and did not have adequate DDoS protection measures in place to protect its website from outages and resulting consequences. As such, the attacks did contribute to the retailer’s operational risk.

Evaluating each category of business risk in this context can enable us to better inform the direction and priorities of a BRI operation. Indeed, since the previous DDoS attacks against the retailer had no impact on its financial or compliance risk, its BRI operation should focus primarily on addressing the strategic, reputational, and operational risks that could potentially be posed by future DDoS attacks.

This type of exercise can also help us identify any additional resources, stakeholders, or business functions that we may need to involve during or after a BRI operation. For instance, let’s say that in the DDoS example above, the retailer’s BRI operation found evidence suggesting that another highly disruptive attack could be imminent in the coming weeks. 

The BRI team would then need to alert the network security team so it could evaluate whether existing DDoS protections would be able to fend off another attack in the near future. The communications and public relations teams should also be notified so that, in the event that the attack results in another outage, they are prepared to address customer concerns, handle press inquiries, and minimize reputational damage. The strategy team, meanwhile, should be looped in as well because it may need to devise strategic adjustments to help recoup any revenue that could be lost due to the attacks.

Indeed, this example reinforces a hallmark of BRI: Because individual threats can affect not just security teams but all business functions across an enterprise, a BRI program needs to understand and account for the different categories of risk faced by all business functions across an enterprise. While even the most sophisticated BRI programs can’t eradicate business risk, they can reduce the uncertainty that fuels it through better anticipation and preparation.