In the final instalment of his three-part series on how digitisation is changing how we manage risk, Gareth Byatt, principal consultant at Risk Insight Consulting, examines how to deal with cyber risk as organisations adopt new technology.
The adoption of digital platforms, automation and artificial intelligence (AI) is reaping significant benefits for many organisations around the world. As risk practitioners, we must work with our businesses to help them to both maximise these benefits and manage the inherent cyber risk.
Disruptions from cyber attacks hurt businesses large and small on a regular basis. Several large companies, for example, have been subject to malware attacks this year that have caused multi-million dollar losses. Cases of large-scale, high-profile data breaches continue to be reported. Indeed, regulators in different jurisdictions are preparing measures to penalise businesses that do not take appropriate action to mitigate the risk of cyber attacks.
The cyber attack threat continues to grow as businesses increasingly go digital – as seen in the results of a recent StrategicRISK survey of key risks, which names cyber risk as a top threat. As we digitise our businesses, and enjoy the benefits of doing so, the need to ensure our digital networks are secure grows ever more critical.
Back in 2013, the data hack of the retailer Target was shown in subsequent ‘kill chain analysis’ investigation to have started from a breach of an air-conditioning system. That was before the Internet of Things became widespread. These kinds of ‘back door’ hacks continue to take place. Companies need to ensure their digitisation strategy protects against cyber criminals, to prevent them accessing their networks to steal data, intellectual property, money or something else.
As The Economist outlined recently, two principles can guide the way that we protect ourselves against cyber threats. The first is to manage cyber security in layers. As risk managers, we can help our businesses to understand what these layers need to be and what controls we require. We can use techniques such as bow-tie analysis to think through preventive, detective and mitigating controls to guard against cyber risk and to agree actions, controls and performance standards to be put in place.
Various technical solutions exist for preventive and detective digital network controls; smart monitoring of them is crucial. Another important element of prevention is education. A lot of cyber crime continues to involve people being tricked into providing information. Ensuring that your people are vigilant against this threat is important.
When it comes to risk mitigation, segregation of networks across the business can reduce the impact of cyber hacks that manage to penetrate digital defences. Good crisis simulations and exercises can also help businesses to work through how they would respond to a serious network breach.
The second principle is to carefully consider your management of data, including how much of it is stored, where it is stored, and for how long. Information is an asset, and digital technologies such as AI encourage us to retain more data than ever before. While there are undoubtedly significant benefits to doing so, we must protect our digital infrastructure and data against cyber criminals. Risk managers can help by assisting businesses to look at data management in the context of different consequences that a serious data theft can cause. These include financial cost, legal fines, reputational impact, potential human resources issues and business disruption.
The use of good risk management practices can help us to nurture the optimisation of business performance while safeguarding against the threats of the digital age.
Gareth Byatt, principal consultant at Risk Insight Consulting