Virtually all cyber exposure programs today are directed at addressing the cyber exposures an organization faces from its own resources and activities and from outside sources. This is necessary but not sufficient.

Why? Because most organizations also face secondary cyber exposures that they are neither aware of nor prepared to address. For example, many organizations do not manage, or own their own properties but inhabit facility space managed by someone else. That someone, generally a building manager, is responsible for facilitating building services (HVAC, elevators, water, sewage, electricity, and the like). Most of these building managers are investing heavily in various devices and systems, under the common category of the Internet of Things commonly called IoT, to allow them to be more effective managers. All with an eye to improve their costs and provide improved performance to their clients. Unfortunately if the building managers do not pay attention to their building’s cyber exposures inherent in IoT, the buildings will become targets of cyber predators. The implication of this is that if such an attack occurs the occupants of their facilities will suffer a disruption that they were unaware was even possible and for which they are unprepared.

So what should you do? The following are some suggested steps

  1. Identify where you might have secondary cyber exposures by determining.
    1. Who manages your facilities
    2. What external services you are dependent upon
    3. If your business partners[i] have cyber exposure management programs. Try to determine if they are effective. You might consider asking them to take our cyber exposure toolkit available at the global risk academy It would provide you with a quick assessment of a building’s cyber exposure program. 
    4. If their are dependencies that are not directly under your control.
    5. Determine the potential impact of your secondary cyber exposures
      1. Consider triage to categorize and prioritize your secondary cyber exposures:

                                          i.    critical secondary exposures – those which, if an event occurred, would materially affect your organization,

                                         ii.    moderate secondary exposures – those which would affect your organization but not materially,

                                        iii.    modest secondary exposures – those which would only affect minor aspects of you organizations operation,

                                       iv.    nominal secondary exposure – those which even if , even if a cyber event occurred, the impact on your organization would be minimal.

  1. Determine what is the effectiveness of your facilities cyber exposure management programs. Once again you might consider asking them to take our cyber exposure toolkit available at the global risk academy It would provide you with a quick assessment of their cyber exposure program. 
  2. Take appropriate steps to address these secondary cyber exposures.
    1. Work with business partner to improve your protection against cyber exposure
    2. Get appropriate cyber insured
    3. Change organization to minimize secondary exposures. Consider alternatives.
    4. Ensure you have the necessary legal protections by way of contractual agreements including liability and indemnification provisions.

If you want to have a secure cyber eco-system you need to care about your secondary cyber exposures and have a program underway to address them, or suffer when the unexpected occurs.  

If you are concerned and would like more information on secondary web exposures contact us at


To learn more about cyber exposure management, you might want to join the online Cyber Exposure Management Course Series.

Here are the options:

Option 1. Understanding Cyber Exposure - For Beginners

Option 2. Advanced Cyber Exposure Management

– Part 1 - Identifying Cyber Exposures 

– Part 2 – Cyber Exposure Program Management

Option 3. A Bundle of all 3 courses - 35% off the original price - ...

(most cost effective option)

[i] We are using the term ‘business partner’ to mean your suppliers, vendors, customers, financiers, bankers, sub-contractors and the like. Anyone who you interact with and whom you depend on for your organization to operate.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!