Almost half of IT and business decision makers lack confidence in board's approach to cyber security, according to Control Risks. Toby Chinn offers advice for risk managers on how to educate the C-suite on cyber risk.
For risk managers, cyber security has become an issue of key concern but where ownership of the risk remains blurred. This presents a greater challenge when it comes to risk management. The reality is, while cyber security issues are now rated as one of the top three risks for 2017 by the World Economic Forum*, for many boards the will to comprehend the risk is there, but the skills and ability are lacking.
Yet, with one of the largest cyber-attacks ever seen on 12 May 2017 inflicting damage on thousands of organisations across 150 countries in less than 12 hours, it is a risk that boards and the wider business must understand. And fast. No organisation or nation state nowadays, however big or small, is immune to the actions of the criminal, activist or nation state cyber community. And the fast-moving nature of the cyber threat landscape is more complex and difficult to protect against than ever before, accentuated by an exponential growth in organisations' digital footprints.
Control Risks surveyed 482 IT and business decision maker professionals in January and February this year to understand how global organisations are approaching cyber security in 2017. We asked respondents about their internal structures and accountabilities to manage these threats, cyber security and crisis management plans, as well as how their organisations are approaching the complex landscape of cyber threats.
The results revealed that despite organisations putting cyber security much higher on the corporate agenda, there remain many challenges around engagement and the right approach even at the highest levels of management.
Adopting a clear cyber security strategy
Worryingly, the survey found that many organisations are still struggling to take a risk-based approach, with over a third of respondents (34%) not having conducted a cyber risk assessment in the past year. Equally, while the survey found most companies now have notional board oversight in matters of cyber security, almost half (46%) of these companies' key IT and business decision makers lack confidence in their board's ability to treat the risk with the seriousness it requires.
This is against a background of cybercriminals developing increasingly specialised and easily available tools with which to attack higher-value targets among SMEs and big business. No wonder then that almost a third of respondents (31%) reported that they are very or extremely concerned that their organisation will suffer a cyber-attack in the next year.
How should risk managers respond?
So what can be done to educate the executive board on cyber security issues and ensure they are giving you and your colleagues the tools and resources to tackle the issue?
You don't need to wait for a big attack to ask the right questions internally. In fact, regularly flagging small breaches that occur to the board is a useful way to raise questions internally about how your own organisation is approaching its cyber security risk. Ensuring cyber security becomes a regular board topic - including reviewing the organisation's external threat landscape with either an internal or independent external cyber security expert - will form an essential part of the board's education.
This can help ensure the cyber security budget is not only sufficient but also allocated as effectively as possible. Equally, conducting regular cyber crisis management exercises that involve all relevant parties - including the C-suite, IT, legal, communications and any other members of your crisis management team can ensure all parties understand their roles and responsibilities in the event of an attack, and the potential implications.
Assessing the cyber risk
Organisations, no matter their size, should always start with the threat. This should involve considering the specific cyber security threats to the organisation, what impact these threats might have, and how current controls mitigate them. Having assessed these risks, the organisation can then integrate them into the organisation's overall risk management strategy.
As most risk managers know, when assessing the risk, it's important to undertake an iterative and ongoing risk assessment to truly understand the organisation's evolving risks. Despite 68% of respondents to Control Risks' survey performing a cyber risk assessment in the past year, almost half (46%) also cited this as their biggest challenge. This could indicate that the risk assessments being undertaken are not sufficient to shape an effective strategy and drive the change really required across the company.
Arguably more concerning are the other 32% of respondents who said they had not conducted a risk assessment at all within the past year. In view of the dynamic threat landscape, these businesses are clearly leaving themselves more vulnerable by not assessing their cyber risks more frequently, if at all, compared with those that have done so at least once in the past year.
Developing an effective security posture requires a comprehensive cyber risk assessment to identify gaps in cyber security across the wider organisation and potential legal, reputational and financial implications of a breach. This risk assessment should start by taking the whole business through the process of how an external threat actor (such as a cybercriminal) might attack the organisation's systems.
As major attacks such as WannaCry illustrate, businesses often won't really know how ready they are for a major attack until it hits. With such a fast-evolving cyber threat landscape and continual growth of new tools and tactics, it is essential that potential cyber risks to the business are assessed in a holistic manner on a regular basis and that cyber security is not just perceived as something that needs to be handled by the IT team, but is a challenge for the entire business.
Toby Chinn, is head of cyber security at Control Risks. To read the full report from Control Risks please click here.