Cyber attacks have been around as long as there have been computers; it is only fairly recently, however, that we have become aware of their extent, and how damaging they can be. In the past three decades, we have seen various worms, viruses, trojans, malware and ransomware increase in virulence and frequency, until analysts have reached a point where they believe that it is only a matter of time before every business, if they have not yet experienced a hacking of their systems, most certainly will. In fact, hackers may already be in their systems – they just haven’t realised it yet.
Faced with these unpleasant possibilities, organisations need to be proactive about cybersecurity, particularly if their businesses have online components. Indeed, it is difficult today to find an organisation that does not have an online presence, whether it is just a website offering background information about the firm, or a full-fledged network that includes an online transacting system that allows it to trade across continents. The fact remains that many potential clients search for goods and services online, so having a URL is a must – even if the firm runs the risk of opening itself to cyber attacks.
Because an online presence has become integral to the company’s existence, cybersecurity has now been added to the risk manager’s portfolio and is no longer the exclusive responsibility of the IT department. This means risk managers have to have more than just a working knowledge of IT and cybersecurity-related issues; they have to understand the risks associated with these as well, and as far as possible, collaborate with IT to fix them. Risk managers are ideally suited to this task as they already have a handle on what can prevent the organisation from achieving its stated objectives.
Having deep-dived into everything which constitutes a risk to the firm, they can see where systems may be vulnerable, and where cybersecurity needs beefing up. This has a twofold advantage: the firm doesn’t waste time looking for possible breach points, and the solutions can be quickly customised to the company’s needs or the requirements of individual departments or units. What this translates into is a lower possibility of disruption or denial of service in the event of a cyberattack, and faster recovery if it happens.
In today’s business environment, the threat of cyber attacks on systems and networks is constant because cyber criminals are undeniably ahead of the game. At best, organisations are constantly playing catch-up. Knowing where your own vulnerabilities are, is imperative to survival. Organisations cannot afford to waste time, effort or other resources on fixing breaches when they occur as it impairs their competitiveness and damages their reputation. Identifying your breach points will also help you determine where your resources can be deployed for maximum effect.
Where cybersecurity is concerned, companies cannot afford to relax their vigilance even when security systems are in place because threats are as likely to come from within the organisation itself as they are to originate externally. It is part of the risk management portfolio to develop a cybersecurity risk management plan as well. But beyond identifying the respective points where IT overlaps with other risks, what mitigation measures can be applied to threats as insidious and seemingly inevitable as those connected with cybersecurity? While it is true that not all risks can be mitigated even if they have been identified, there are some steps that the risk manager can take to blunt the edge of cyber attacks.
Firstly, cultivate a culture of risk awareness in the company that includes awareness of the need for cybersecurity. Everyone in the company should be aware that cybersecurity is necessary because service disruption that leads to financial loss and damage to the company will happen in the event of a cyber attack; their online activity, though legal and in the course of executing company business, may inadvertently present an opportunity for hackers to access the system illegally. Any organisation that has an online presence is vulnerable to cyber attack, and every employee is responsible for keeping it safe.
To help them do this, the company has to provide the correct tools and training, which are integral to developing the correct mind and skill set, and the appropriate attitude towards cybersecurity. Training should include the early recognition of a possible breach, and what to do in such instances. For more effective implementation, knowledge should be shared across the organisation, and with the organisation’s stakeholders. In all events involving cybersecurity, speed is imperative. The faster an incident is contained, the less damage it can do. Have a comprehensive cybersecurity response plan, and make sure everyone knows it.
It is worth noting that communication in the event of an incident is very high on the list of priorities. Many companies prefer to keep a low profile when a cyber breach happens because of confidentiality – and embarrassment! But the longer an incident stays “under wraps” the greater the possibility of the perpetrator getting away with it, and perhaps doing more damage. Being vocal about being attacked helps other firms; it helps to share information although admitting one’s shortcomings is never easy. It alerts others to similar breaches, and perhaps makes hackers’ lives just that little bit more difficult!