Cyber security: no longer just 'an IT problem'
By Dan Thornton.
No business risk in the 21st century has created more challenges and concern to boardrooms and C-suites than cyber security risk.
Reputations have been destroyed with customers and shareholders, and recent lawsuits have raised questions challenging the integrity of senior executives when faced with managing the impact of a cyber attack.
The media have been unforgiving and it is very clear that no nation, industry sector, company or individual is immune. For this reason, it is clear that responsibility for cyber security starts at the top, and oversight of a comprehensive and measurable risk management programme sits with the executive leadership teams.
Today, the cyber risk has extended far beyond being "an IT problem." It has become a serious issue of business continuity and core responsibility of executives of businesses of any size to protect shareholder value.
The World Economic Forum Global Risks Report 2018 identifies cyber attacks and data fraud or theft as the joint third-biggest risk in terms of likelihood that highlights a clear and present danger of "if not when" an organisation will suffer the impact of loss caused by a cyber attack.
Cyber risk ultimately poses a threat to the balance sheet, however brand damage and an overall threat to confidence is what should be on every business leader's mind. If an attacker were to gain access to your information technology or operational technology, there are many ways in which they can cause serious harm.
The following consequences are very real as a results of the technology growth factors that have shaped the risk landscape:
Data breach: Sensitive information such as personal data including accessed, lost or leaked. This is covered by many US and European Regulations as confidential to your personally identifiable information or healthcare information is organisation.
Transactional fraud: compromised business e-mail accounts or social engineering attacks through manipulation that lead to fraudulent electronic payments.
Cyber extortion and ransomware: Information which an attacker threatens to expose by blackmailing the victim into paying them and/or; data that inaccessible because it is encrypted until a ransom demand is paid to the attacker.
Network security liability: causing damage to a third party because of transmitting malware on to their IT systems.
Business interruption and disruption: caused by operational error or malicious software (malware) causing your own or third party services to be unavailable for a period of time.
Reputational damage: information revealed that could have short or long term consequences of your own reputation or that of third parties such as suppliers or customers.
Intellectual property theft: unauthorised access and theft of critical insights and knowledge such as market sensitive data, corporate strategy plans, designs and trade secrets, including merger and acquisition data.
Espionage: gaining access to commercial secrets and data not always necessarily owned by the organisation, such as unreleased film scripts and high net worth individual insurance policies.
Sabotage: deliberate damage to an organisation's ability to operate and potential physical damage to assets.
Embarrassment: Revealing material that could cause humiliation for staff, shareholders and third parties.
Internal reputation: Exposing data which could lead to rumour spread and create fear, uncertainty and doubt among employees in an organisation.
For these reasons, it is critical that organisations remain vigilant and proactively address ways in which to deter, prevent, detect, respond and recover from cyber security breaches.
It is also important that every business leader asks themselves and their enterprise risk teams (political, financial, and operational and security) the following key questions:
What does cyber risk mean to them?
Who is a threat to them and why?
What measures seem proportionate to treat the risk their organisation faces?
What is a reasonable price to pay for that mitigation?
With this ever-evolving and growing threat to business survival, cyber risk should find itself firmly near the top of every organisation's Enterprise Risk Register with the necessary resources being thrown at it to effectively mitigate such a critical risk.
If this subject is not being discussed regularly on the board and C-Suite level, then organisations need to start educating their leadership teams so that cyber risk management can get the 'top-down' support it requires.