Doing business in a connected world is both inspiring and frightening. The same connections that facilitate information sharing and global commerce create opportunity for cyber risk. And that risk is becoming bigger and more volatile for organizations of all sizes and in all industries. Cyber risk never has been confined to an organization’s information technology department. Yet, few organizations treat it as a strategic business risk. The impact of cyber risk surpasses technology functions, and therefore the IT department cannot solve the problem on its own. The entire enterprise must align to combat cyber risk and mitigate its impact on the business. The evolution of cyber attacks and their impact on business operations has made managing this risk strategically important.
There’s a telling finding in a recent survey of executives across large organizations by Harvard Business Review Analytic Services. The survey found that while 85% expect the financial impact of cyber attacks and breaches to increase over the next two years, only 26% said their organizations are well prepared for an attack or breach. What’s surprising about this finding is that so few executives consider themselves ready for incidents that are becoming astoundingly frequent and increasingly expensive. Massive data breaches appear in the headlines almost weekly, but consider for a moment that what attracts media attention is a fraction of the overall number of incidents.
At IBM Corp.’s rel="noopener noreferrer" Security Summit in 2015, Ginni Rometty, Big Blue’s chairman, president and chief executive officer, made a startling observation: “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
Organizations need to make immediate changes to better manage cyber risk. But they are challenged on two fronts: one is the difficulty of fully grasping the problem, and the other is human resistance to change.
Shannon Groeber, senior vice president of Cyber/E&O at JLT Specialty, explains that a major challenge is the growing complexity: “Cyber risk is an all-encompassing term. It’s not exclusively a technology risk, or an online risk, or a people risk. So many components come together and can leave an organization exposed. Cyber risk also is evolving faster than many people realize.
“A few years ago, it was assumed that cyber events exposed people’s information, such as credit card numbers, Social Security numbers and so on. It has evolved way beyond that. We’re seeing many more ransomware attacks, with low demands in Bitcoin, and there’s a different reason for these attacks. Often the ransomware is meant to disguise something else cyber criminals are doing in the system, such as stealing credentials to access other parts of the network,” Ms. Groeber said. “The idea that the most valuable data assets are those that identify an individual is mistaken; that kind of cyber crime is really not as lucrative as it used to be. What is really valuable today is an organization’s trade secrets and the ability to steal or replicate those or hold them hostage.”
Reid Sawyer, senior vice president of Cyber Analytics at JLT Specialty, agrees. “Cyber risk is not simply about data privacy. For any organization of scale and size, they’re at risk from all the threat vectors – breach, ransomware, disruption, network interruption,” he said. “There are a myriad of threats today, and a company has to be successful in every instance. A cyber criminal only has to be successful once. There is an asymmetry of the cyber arms race. Threats are advancing as such a pace that organizations are unable to keep up with them.”
CHANGING BEHAVIOR ON CYBER
Protecting people and property in any organization is a challenging job. Often, risk managers need to alter behaviors at multiple levels of their organizations to reduce downside risk. Pity the risk professional in such situations. Human beings are creatures of habit, and a fundamental reality is that most of us find behavior difficult to change. Amplified across large organizations, which after all comprise individuals, this tendency makes organizations reluctant to embrace change or slow to respond to change.
Organizations are making progress in spreading awareness of cybersecurity among their employees, according to the Harvard Business Review Analytic Services survey. More than two-thirds of respondents include all employees in cybersecurity training, and 37% conduct ongoing, staff-wide cybersecurity training. Yet, other organizational behaviors are still leaving businesses exposed to cyber events. Why?
“Organizations that are the most vulnerable to cyber events are those that don’t have a strategic, cohesive, clear and collaborative approach to protecting their assets. Cyber risk is pervasive, but many organizations approach it narrowly, in silos rather than in a coordinated way. For example, people know their specific roles as they relate to elements of cyber but often do not communicate or collaborate with others across their organization,” said Ms. Groeber.
“Overwhelmingly, organizations are left exposed by treating the risk and the solutions as a technical risk, instead of treating it as a strategic business risk. That mindset inhibits their ability to organize around the problem set in a meaningful way,” Mr. Sawyer said.
The Harvard Business Review Analytic Services survey confirms these observations, finding that only 23% of respondents have a formal strategic plan to address business risks from cyber attacks. In addition, only 21% of respondents’ organizations have defined cybersecurity as an area of business risk and incorporated into their vision and risk appetite statements.
Risk managers already are aware that risks are converging, with businesses more interconnected and exposed to loss than ever before. Organizations cannot afford to maintain a fragmented view of risk, isolated by department or function, and leave those views uncoordinated. That’s dangerous no matter what the risk, whether it happens to be cyber attack or other strategic risks.
WINNING THE WAR
Some organizations are more successful than others in their ability to battle cyber risk. Better-prepared companies are “realistic about cyber risk and have a strategy for how to handle it that goes well beyond a technological response,” Ms. Groeber pointed out. “Restricting network access by function and using two-factor authentication, those are table stakes now. Expanding roles and reporting lines up the CEO and board for those responsible for cyber risk management is consistent with organizations that are more likely to minimize the impact of an attack. Such organizations have a very clearly defined response plan," she added
As the Harvard Business Review study shows, a minority of companies are well prepared for cyber events. According to Mr. Sawyer, such companies “understand that it takes more than a technical solution to solve the problem of cyber risk. They take a multidisciplinary approach that examines the risk across the breadth of the organization.
“They also understand that the volatility of cyber risk in any given vertical in their organization is different. For example, an oil company’s cyber risk will look different upstream, downstream, offshore and onshore. One way to look at it is cyber risk as a whole is greater than the sum of the parts,” he said.
The organizations that are better equipped to weather cyber incidents are those that have clear line of sight into their risks and are communicating well with all relevant stakeholders. Working with expert partners to learn as much as possible about the enemy provides organizations an edge in this era of cyber warfare.