October is Cybersecurity Awareness Month, an ideal time to examine your organization’s readiness in responding to an imminent cyber attack.
According to Ponemon Institute and IBM Security’s 2022 Cost of a Data Breach report, a cyber attack could cost a company an average of $9.44 million. This accounts for financial damage from theft of information, disruption of functions, ransomware demands, destruction of hardware and software, and corruption of data. The cost does not factor missed opportunities and reputational damage to the company’s brand, one of its greatest assets, from the loss of customer trust that can occur with cyber incidents.
Taking stock of the latest report by Deloitte’s Center for Board Effectiveness DCBE, this article summarizes the board’s recommendations for integrating business and cybersecurity, improving risk management and governance, and updating incident management processes for businesses to build resilience amidst an evolving cyber threat landscape.
Integrating Business And Cybersecurity
The mindset shouldn’t be “the IT people” are solely responsible for cybersecurity. The National Association of Corporate Directors (NACD) suggests that leaders approach cybersecurity as the organization-wide issue that it is. Consider these cybersecurity principles to improve management oversight of cyber risk —
- Approach cybersecurity as a risk management issue for the entire enterprise and not just a technology or IT issue. Cybersecurity may have begun as primarily a technology-centric risk, but it has evolved to become a multifaceted business issue. The ability to manage cyber risk is integral to every aspect of business operations.
- Understand the legal aspects of cyber risks that are relevant to the company’s own facts and circumstances. In addition to the business impacts of a breach, companies and directors may also face legal consequences that boards should consider as they set strategy and define risk appetite.
- Access cybersecurity expertise, from both internal and external sources, and discuss cyber risk management regularly in board meetings. Cyber risks should be communicated to the board frequently, with adequate discussion about the company’s threat landscape and risk mitigation strategies.
- Establish an enterprise-wide risk management framework that is adequately resourced. Confirm that the framework is implemented across the organization at all levels and that it has adequate staffing and budget.
- Discuss identified risks with management, including risk prioritization, appetite, and mitigation strategies. This discussion may include a review of options to transfer risks that cannot be practically mitigated using cyber risk insurance.
Improving Risk Management And Governance
Establish an effective alignment between risk management and the internal governance structure to address cybersecurity on an organization-wide basis. This includes defining clear ownership, authority and key performance indicators (KPIs) among all internal stakeholders for critical risk management and reporting responsibilities.
Consider these strategies for integrating cybersecurity practices into how the business operates and makes decisions —
- Review the organizational structure to ensure that the cybersecurity function is adequately represented across the business, internal groups and leadership.
- Understand the basis for, and challenge the assignment of, important roles and lines of accountability for cybersecurity strategy, policy and execution.
- Set expectations that cybersecurity and cyber-risk functions are to receive adequate staffing and funding and monitor the efficacy of these determinations.
- Inspire a cybersecurity culture and encourage collaboration between the cybersecurity function and all stakeholders relating to, and accountable for, cyber risk at various levels (e.g. compliance, privacy etc.).
- Ensure an accountable officer has authority and responsibility to coordinate cyber-risk strategy throughout the organization and that the organization has a comprehensive plan for data governance.
Updating Incident Management Processes
Cybersecurity response strategies should include answers to questions such as – What happens in the event of a ransomware attack? How do we respond and communicate the incident? In addition to these, some newer questions that may spark discussion on emerging issues. Such questions might include —
- What is the company’s approach to access management throughout the business? Who is responsible for determining access in each of the company’s functional areas? Which function is requesting and granting the highest number of exceptions?
- What is the approach to incident response in the event of a ransomware attack? What is the recovery time for the company’s most important business operations? How has the company prioritized business operations based on possible impact? Has the response plan been practiced throughout the company up to the C-suite level?
- When was the most recent cyber risk assessment performed, and what has changed since that time?
- To what extent has the risk assessment considered risks related to operational technology, not just information technology?
- What is the cyber assessment process for mergers and acquisitions? How has the company considered cyber risk with respect to integrating an acquired business?
Investing Is The Key To Survival
A cyber attack is clear and present danger to any organization regardless of its size. Use this guidance to assess your level of preparedness and resilience should one occur.