Why You Need to Update Your X-Analytics Profile
- Mar 3, 2024
- 2 min read
Like most things in business, your X-Analytics cyber exposure profile will change over time. As such, it is important that you revisit your profile and update answers where applicable.
What is your cyber exposure profile?
Within X-Analytics, your cyber exposure profile is your unique business configuration that directly relates to your cyber exposure outcomes. For example, the amount of records that exist within your business has a direct relation to your data breach exposure outcomes. Every component of your exposure profile relates to one or more of the following cyber exposure categories:
Data breach: Data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment business interruption, misappropriation, and ransomware. The severity (or cost) of a data breach is based on record volume and types of records included within the breach. Data breach costs include ID protections service, forensics, regulatory finds, brand damage, and many other cost elements.
Business interruption: Business interruption is the intentional or unintentional disruption of one or more information technology (IT) or operational technology (OT) systems. The severity (or cost) of a business interruption is based on IT or OT system criticality, breadth of disruption, and duration. Business interruption costs include revenue loss, forensics, recovery, brand damage, and many other cost elements.
Misappropriation: Misappropriation is the intentional, illegal use of intellectual property (IP), funds (FTF), or services via a cyber incident. The severity (or cost) of a misappropriation incident is based on the value of stolen intellectual property, stolen funds, or the direct liability related to an impacted service. Misappropriation costs include stolen property, loss profits, legal fees, forensics, and many other cost elements.
Ransomware: Ransomware is the intentional deployment of malware intended to encrypt data within one or more information technology (IT) or operational technology (OT) systems to extort money from the victim. The severity (or cost) of ransomware is based on the breadth of infection, duration, and the extortion. Ransomware costs include the extortion amount, revenue loss, forensics, recovery, brand damage, and many other cost elements. (Note: In recent times, ransomware is shifting from a pure availability incident to a data breach incident to further extort money from the victim.)
Why do I need to update my cyber exposure profile?
You need to update your cyber exposure profile because elements within your profile change over time. Some of these changes will increase and some will decrease your cyber exposure. In either case, it is always best that you make informed decisions from a profile that best represents your business.
Is there any guidance on which profile elements I should change and how often?
Yes. The answer to both questions will vary from one business to another. However, the guide below works generally for all businesses:
Profile Element | Related Exposure Category | Review Frequency | Reason |
Revenue | All exposure categories | Quarterly | Your revenue will change due to business expansion and contraction. |
Operating regions | Data breach & misappropriation | Quarterly | Your operating regions may change due to new markets and withdrawal from underperforming markets. |
Data record volume | Data breach | 6-months | Your record volume will change due to business growth, acquisitions, and record purging. In fact, record purging is an effective method in reducing data breach exposure. |
Data record type | Data breach | 6-months | Your record type will change due to business modification, acquisitions, and divestments. |
Revenue recapture | Interruption & ransomware | 6-months | Your business's ability to recapture revenue might change due to new products, services, SLAs, competitive status, and other reasons. |
Endpoint volume | Ransomware | Quarterly | Your endpoint volume will change due to business expansion and contraction. In fact, purging outdated and unnecessary endpoints is an effective method in reducing ransomware exposure. |
Value of intellectual property | Misappropriation | 6-months | Since your initial value of intellectual property might be based on an estimate, you can use this frequency interval to tune your estimate. Intellectual property value is often underestimated and it can change due to new products and services, divestments, and acquisitions. |
Daily electronic payment volume | Misappropriation | Quarterly | Your daily electronic payment volume will change due to business expansion and contraction, acquisition, divestments, and shifting away from legacy non-electronic payment methods. |
Control maturity | All exposure categories | Quarterly | Even though most NIST CSF and other framework audits are updated annually, your control maturity is constantly changing due to new technologies, cyber risk investments, acquisitions, lack of governance, and many other reasons. |
In Summary.
Like most things in business, your X-Analytics cyber exposure profile will change over time. As such, it is important that you revisit your profile and update answers where applicable. Your cyber exposure profile is your unique business configuration that directly relates to your cyber exposure outcomes. It is always best that you make informed decisions from a profile that best represents your business.
Comments