Cyber risk management is a board imperative. The CEO is responsible and board members accountable, but the risks should be looked at holistically across the whole company, and all staff should take responsibility.
All businesses have an inherent risk level, and cyber risk is common to many, if not all. However, the level of risk will vary according to an organisation’s unique cyber DNA – that is, how it leverages and is interconnected with its digital architecture and its business value chain, including suppliers, business partners and customers.
Covid-19 has had a significant impact on the cyber risk level of every organisation. The disruption it has caused will have accelerated business model transformation for many entities and increased their reliance on digital technology.
Many organisations have had to abandon the normal safeguards and assurances of system implementation and embraced a culture of ‘shadow IT’, working outside of normal policy and procedures with the short-term objective of getting the job done. They may have even given remote users access to systems to digitally transform a business model. But working outside the normal agreed safety parameters obviously increases risk.
With key people working from home, a company’s ‘attack surface’ increases, potentially exposing critical assets
Cyber criminals have embraced this discombobulation as an opportunity. Law enforcement agencies around the world and the World Health Organization have warned of a huge increase in attacks during the pandemic.
This has further increased pressure on the workforce, which often has to operate in a distracting home-working environment without the full support of colleagues and the organisation’s ecosystem. With key people working from home, a company’s ‘attack surface’ increases, potentially exposing critical assets.
International Compliance Forum
Paul C Dwyer is speaking at the 6th International Compliance Forum which runs online from 24-25 September. The conference will explore the latest developments and trends in corporate governance, and address current challenges facing the global compliance and ethics community. Chairman of the forum Marios Skandalis FCCA, director of the compliance division at the Bank of Cyprus and chairman of the Cyprus Integrity Forum, will welcome delegates and speak at the event, alongside a host of experts from around the world, including ACCA’s executive director – governance Maggie McGhee, and Rachael Johnson, head of risk management and corporate governance in ACCA’s Professional Insights team.
All together now
These changes – and risks – may well be here to stay. As we are all interconnected and interdependent in this digital economy, we need to take collective responsibility for dealing with the cyber risk arising from Covid-19. We have to be multidisciplinary, risk-orientated, pragmatic and adaptable; and we should aim to balance short-term goals with longer-term imperatives.
Here are some actions every business can take to meet the Covid-19 cyber risk challenge:
- Identify your business value chain. Document and prioritise the different entities that make up your business model. Identify interdependencies, criticality and the entities that support your business, both internal and external.
- Calculate your inherent cyber risk. Do this on the basis of your current ecosystem and augmented business operational model – it will be different from pre-Covid-19 and is a key metric to drive informed management decisions.
- Identify your current cyber risk mitigation controls and review the capacity of those controls to support your current risk levels.
- Establish cyber risk metrics, including KRIs (key risk indicators) and KPIs (key performance indicators), to reduce subjectivity in decision-making and to understand inherent risk levels, maturity levels and thus identify residual risk levels. Use meaningful metrics and adopt a zero-trust approach to the potential pseudo-science of ‘vendor metrics’ – you need to understand how metrics are derived.
- Create a culture of cyber resilience, acknowledging the importance of proactive risk management and establishing a clear structure of governance and oversight. Appoint someone responsible for cyber resilience, reporting to the board.
- Because you can’t do everything and there is no such thing as 100% secure, focus on your critical assets and make sure all the baseline controls are in place and operational. Consider basic cyber hygiene controls, such as patching and monitoring of remote access activity. This may include increased investment in identity and access management solutions to support the new reality of increased remote activity and risk. Automate controls and the mundane when possible to decrease the reliance on scarce resources and allow them to be leveraged appropriately.
- Education is the most effective cyber risk control of all, so educate your users in how to operate securely in a remote environment, and educate your business leaders in how to identify and manage cyber risks within their operating environments to support the new business model. Go beyond compliance and enable the business; education will strengthen behaviour and help reduce and manage risk.
- Remember there is no going back, so update your policies, procedures and strategy as you transition to the new normal. On that journey, remember to test and challenge any assumptions being made. One of the most critical and valuable documents you should update is your crisis management plan.
- Take a collective responsibility approach. Internally and externally, up and down the supply chain we all have a part to play. Remember that cybersecurity is only as strong as the weakest link.
We are all making a transition, and change brings opportunity. Digital transformation will continue to accelerate as a result of Covid-19 and there will be additional business opportunities. So while we may feel some upheaval, we may also find new opportunities for improved performance or return on investment.