For better or for worse, cybersecurity continues to be a fundamental concern for businesses. In fact, 2018 was a year that saw a rise in both the number and complexity of cyberattacks. From Facebook to British Airways, brands from all over the world fell victim to cybercrime and made headlines on what seemed like a daily basis.
Is it any wonder then that 53% of CEOs worldwide stated in PWC’s 21st CEO Survey 2018 that cybercrime keeps them up at night? In terms of CEO anxiety, cyber threats now outstrip technological change, increasing taxes and social instability.
The reason for this is clear – most CEO and board members now recognise cyber risk as a major business risk. If cyber security is not well managed, an organisation risks business disruption, theft of business secrets or customer data, fraud, and the resultant damage to the bottom line. Along with that comes damage to personal brands too, impacting individual careers and reputations, not to mention the personal toll that incidents can take, and in some instances criminal charges and public humiliation with wide spread media coverage and heavy corporate fines.
But despite how pervasive the risks of cyberattacks are, 44% of the 9,500 executives surveyed in PwC’s 2018 Global State of Information Security® Survey say they don’t have an overall information security strategy in place. The result? Companies being underprepared to handle cyber attacks. This gives you a sense of how much work we still need to do.
Understanding the nuances of cyber risk management
We know that many companies are struggling to identify the policies and procedures necessary to effectively govern and manage cyber risk. But what is cyber risk management in the first place?
You’re probably well versed with risk governance processes and structures. Many have dedicated risk experts and committees assigned to analyse and quantify the size and likelihood of various risks. Most often these teams are well equipped to consider traditional risks, like threats to business continuity, corporate governance, market and credit risk, regulatory and operational risk, and even some technology risks. Accordingly, they are charged with drawing up plans, policies and processes to manage and mitigate any downside.
A typical cyber risk governance meeting by comparison will often involve delegated IT experts (such as CIO or CISO) providing regular and frequent updates with qualitative (or quasi-quantitative) estimates of cyber risks. Elements of these include the impact of a data leak or data loss, the theft of intellectual property, or the dangers of operational disruption from a cyberattack. There are lots of permutations for each one; is it impacting customers or staff? Are there legal and regulatory ramifications? When did it occur? Is it resolved or ongoing? Do we really know the extent of the problem? Can we say with certainty that it won’t happen again?
Can you see that there may be issues here in relation to cyber risk specifically?
No doubt every category of risk has its own unique challenges, but risk management relating to information security (infosec) and technological threats, is a highly complex and specialized area that is still emerging. Despite this, I still firmly believe that cyber risk is a leadership issue. It cannot be delegated, or passed off as technical and niche, and assigned to a side committee. When you paint risk in broad strokes to capture all business risks, you can easily find people on the board and in upper levels of management with no concept of what cyber risk, and how to deal with it. It is essential that we embrace and educate those individuals so that they can help your organisation to be even more resilient.
I have seen highly experienced risk committees that find it difficult to firstly, understand what is presented and secondly, to contribute meaningfully to cyber risk discussions. They end up relying heavily (and sometimes unfairly) on their tech teams. This pressurises an already overtaxed team while reinforcing the notion that the CISO has the sole authority on the topic.
The result? This works, until it doesn’t. If the company is hit by a cyberattack, the CISO becomes the culprit, and his or her efficiency is brought to question.
How to fix the cyber risk problem
I’ve written a lot over the last couple of years about the critical need for every member of the organisation to play an active role in being cyber vigilant. Every person, regardless of seniority, has a part to play. In releasing Australia’s first Cyber Security Strategy in 2016, former Prime Minister Malcolm Turnbull said cybersecurity can no longer be ignored by senior leaders, or left in the hands of the IT department.
“We must convince leaders, at board level and corporate sector and government levels, that cyber is one of their essential functions,” Mr Turnbull said.
In particular, for cyber risk to be optimally understood and managed across an enterprise we need:
- Clear governance from the board
- A dedicated cyber risk management role and/or committee
- Repeatable cyber risk processes and workflows in all areas of management
- Unit managers trained in cyber risk
- Faith in those in charge at each level
This essentially means that while a dedicated cyber risk management role and/or committee does exist to identify and isolate cyber risks and form recommendations, solid collaboration between the board and other business units must exist for them to optimise the cyber risk management process.
Active involvement by senior leadership is made all the more crucial with the implementation of the EU General Data Protection Regulation (GDPR) as well as the Australian Government’s Notifiable Data Breach (NDB) Scheme.
According to the 2018 AusCERT Cyber Security Survey report, “despite financial penalties for non-compliance – up to $420,000 for individuals and $2.1M for organisations [within Australia] – this year’s Cyber Security Survey found that more than a third of respondents did not know if their organisation must comply with the notifiable data breaches scheme.”
With regulations requiring business owners and leaders to take accountability for their cybersecurity arrangements and making it mandatory for them to provide leadership and direction for ensuring compliance against regulatory changes, a critical need exists for alignment when it comes to dealing with cyber risk.
Alignment is critical. From the board, to the CEO and the ELT, through to leaders in each respective business unit, and down to the frontline. Everyone must be aligned in their understanding of the risks of cybercrime, and the priority to your organisation. Of course, it starts at the top, and you will have infosec, technical and operational teams that are charged with the execution of plans, but every member of your organisation must play a role in its security.
As a leader, think about what information you need regarding cyber risk, how to get it, and how to build better relationships with the company’s tech leaders so you get a better sense of whether management is doing enough. Review your current cybersecurity strategy. How confident are you in your company’s ability to deal with a cyber-attack? How much time are you allocating to cyber risk in your board meetings? Are your employees being given sufficient training on being cyber resilient?
Cybersecurity is such a fast moving and evolving space, that the reality is that you will need to continually adapt and review your practices, and your resources. It’s about education, creating new business functions, developing a mature cyber risk framework, culture, and more.
Don’t be afraid to get some outside help too. There are plenty of experts out there that are willing to share their knowledge and experience.
Get the facts
Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.
Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets. If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.
I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
You can download my e-book for free, here.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
... ... ...
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter.
I’d really value your input and comments so please join the conversation.