While some companies might have these plans firmly in place, in a 2017 Airmic survey, less than a third of its members thought their organization was suitably managing cyber risk.
It’s also true that there are now better levels of protection available. Cyber liability insurance, for example, is now becoming more standardized across the industry. As insurers and companies have learned the risks and impacts of an incident, the policy cover has evolved to provide a much better level of protection as well as improved guidance on mitigating risks.
Obviously, risk managers have a key role to play in managing and mitigating the potential effects of a cyber attack. This role is vital in identifying risks, advising on options to prevent or manage them, and implementing change.
As a risk manager, you might consider these steps as part of the successful implementation of your cyber security plans:
You should also investigate your membership and association benefits. Airmic members, for example, get access to many reports and advice on the latest risks and risk management techniques.
There really are no more excuses to ignore cyber risk. For one thing, the General Data Protection Regulation (GDPR) compliance deadline looms—it comes into force in May 2018—and will impose fines of up to 4% of global revenues (or €20 million, whichever is greater). Good data-management practices are tied inextricably to cyber risk, so you simply cannot ignore these two major priorities.
It’s not just the fines that could put companies out of business. Reputational risk is equally important, as losing customer trust can also have devastating effects. Protecting your data from cyber crime has to be at the top of the risk agenda. The alternative option is opening yourself up to an incident.
In the UK, take a look at the National Audit Office’s (NAO) report into the NHS WannaCry hack, which identified major IT security flaws as the underlying cause of the NHS’s worst cyber attack in history. In the United States, credit-reporting firm Equifax allowed hackers to enter its system and perpetrate a massive theft of consumer data—even though a patch for the web-application vulnerability that hackers exploited was available approximately two months prior to the attack. Organizations just can’t afford to have these sorts of basic lapses in security.
The business protection available now is much better, so not investing in upgraded technology and insurance is unwise. The same can be said for staff training and awareness through practicing test incidents, just as you might a fire drill.
Finally, what the the risk management industry now knows is much better. We have fantastic risk management information systems (RMIS) available which can analyze copious amounts of data. We have knowledge of hacking techniques and understand the weak links in our defenses. So, the time is here to properly manage our cyber risks, and future surveys of risk managers will hopefully highlight the positive views of their organization’s cyber risk management.