With almost daily reports of cyberattacks, intrusions and data breaches, many organisations are unclear what approach to take to ensure their own security. Some view the challenge as an issue for the IT department while others look to senior management and the board for answers.
The confusion that exists around who is responsible stems from the fact that many organisations have a somewhat historic view of how risk should be managed - one formulated in an era before information technology became ingrained in daily business life. The game has now changed but, in many cases, business thinking has not.
Understanding the challenge
Cyber risks are shifting from being something that is rare to something that is, unfortunately, common. At the same time, the threat landscape itself is evolving much more quickly than many people realise.
For many organisations, the challenge is exacerbated because some of the IT systems in use were deployed years ago. They might be monitoring ageing equipment or managing core infrastructure and could easily be missed when measuring the extent of the cyber risk being faced.
It’s only when the total cyber risk profile of an organisation is understood that a holistic plan for its management can be devised and implemented.
A board-level issue
Unfortunately, within many organisations, board-level discussion about cyber risks tends to revolve around fear. Attention is focused on the dire implications of an attack and the fallout one could cause for the organisation.
Often, security professionals will present alarming data about the rates of attack and the extent of potential damage. Their overriding message is that, if everything is not fixed quickly, the organisation could find itself in real trouble.
However, a better focus for board contemplation is how taking action cannot just alleviate risk but also benefit the organisation as a whole. Board members need to be thinking about how lowering the level of cyber risk can support future growth through more effective customer service and more streamlined operations.
The board also needs to consider cyber risk from a legal perspective. It needs to be sure the organisation is not only complying with general regulations but also any that are specific to its particular industry sector.
Also, if the organisation has international operations, they must ensure compliance with the specific regulations that exist within each country. For example, the new GDPR regulations introduced in Europe place strict requirements on any organisation that is holding the personal data of EU citizens.
At all times, directors have a duty to manage the level of cyber risk faced by their organisation, and should constantly consider the reasonableness test when assessing their planned level of action. This is important because risk reduction steps that would be deemed reasonable today are very different from what they were 10 years ago. Directors need to ensure their responses are evolving over time.
More than a problem for IT
The bottom line is that it’s wrong to view cyber security as a technology problem when it is in fact a governance problem. Indeed, if you think the solution is to buy yet another shiny device and plug it into your network, you’re simply perpetrating the myth that it’s possible to buy your way to safety.
While there is clearly a role for products, it’s important to also develop strategies that are much broader. An organisation-wide team should be created that has representatives from the audit and risk committee, the legal department, marketing, sales and senior management.
In this way, all aspects of cyber risk can be assessed and each part of the organisation made aware of its particular role both in mitigation and response should an incident occur.
The team can also be made aware that cyber risk planning can also deliver business benefits that extend well beyond improved IT security.
An example of enhancing awareness in action is CQR’s engagement with the Australian Health Service Alliance where we recently staged an educational seminar for all the organisation’s staff. The presentation highlighted the potential security risks faced by the organisation and the role each staff member could play to avoid incidents occurring.
Australia’s new notifiable data breach regulations also provide a great opportunity not just to reshape how data is managed across an organisation but to educate employees on the potential implications of a data breach. Many businesses collect data just because they have always collected data and have never stopped to ask ‘why’. By actively examining data stores and removing any data that’s not required, business processes can be improved and data analysis streamlined.
The cyber risks faced by businesses are going to continue to grow. However, by taking an organisation-wide approach, led by senior management, it’s possible to not only be fully prepared but to enjoy some additional business benefits from the efforts being made.