Cybersecurity is an organization-wide responsibility
The risk of cyber-attacks has never been higher, and according to the Global Risks Report 2023, published by the World Economic Forum in collaboration with Marsh McLennan, widespread cybercrime is one of the ten largest risks for governments and businesses worldwide.
With the continued shift to digital ways of working and cloud-based tools, organizations are becoming increasingly vulnerable for cyber attacks, with ever more touchpoints for hackers to exploit. Meanwhile, hackers are becoming more effective in their attacks as they move away from “spray-and-pray” tactics towards targeted hits.
The result: the scale and impact of cyber-attacks continues to grow, both from a financial and reputational perspective, as demonstrated by the recent high-profile attacks suffered by Optus, Telstra and Medibank.
While the majority of cybersecurity spending and effort goes to technology, experts from Oliver Wyman – Julian Granger-Bevan, Paul Mee, James Cummings, and Alon Cliff Tavor – explain that to be effective in their defence frontiers, a holistic and organization-wide approach should be put in place to complement technology-based security:
Responsibility for cybersecurity within organizations must expand. This is especially the case given that demand for cybersecurity professionals has over time by far outpaced the capacity available within the market
No single team should – or can – be the sole line of defence in an organization, especially when 95% of cybersecurity issues can be traced to human error. Further, every employee needs to be trained as internal actors are responsible for 43% of data loss, half of which was intentional, and half accidental.
As Oliver Wyman noted in a 2018 paper, it’s practically impossible for companies to entirely erase the possibility of security breaches, especially when faced with a motivated hacker.
While technical IT teams have a crucial role in the development and design of robust and secure corporate networks, responsibility for cybersecurity must expand to include senior executives across the entire organisation, particularly when it comes to responding to breaches and addressing them.
That means embedding security protocols into every function – from procurement to finance to sales – to ensure there is a company-wide ‘playbook’ for responding to breaches.
A cybersecurity playbook
A playbook can set out how the entire company should respond to a cyber event from the moment a breach is discovered while also emphasizing a sense of effective governance amidst a crisis. Established protocols also ensure an organized response which can have implications for how the company, its shareholders and customers are perceived.
Who should be called into so-called ‘war rooms’ to mitigate further damages be avoided? Who decides whether to pay a ransom to a hacker? How should the organization communicate with their stakeholders – customers, regulators and shareholders – in order to ensure stability and trust? What sort of documentation is needed as evidence of an organization’s adequate response?
In light of potential regulatory and legal risks, the playbook can also act as evidence to prove that companies have an adequate response in place for when a cyber event does occur, and the resulting governance can effectively mitigate risks that occur in the aftermath.
Prioritize cyber skills at the board level. As cyber-risks rise in importance, company boards need to understand the risks and the consequences. Corporate boards need more tech experience and skills to be able to challenge and question executives on these issues.
Raise cybersecurity standards. Growing regulation around data privacy has already set a minimum-security standard, especially when it comes to consumer data. For instance, the European Union’s General Data Protection Rules (GDPR) require companies to report a breach within 72 hours. Incorporating these standards into a playbook not only helps build credibility but also ensures companies remain agile in the face of new and potential laws.
Embed security standards across all functions. As responsibility for cybersecurity expands beyond IT teams, companies will need to marshal the cooperation of leaders in every function to ensure an organised response to breaches. This also ensures that an active, cyber defence culture is embedded throughout the organisation.
Invest properly in cyber insurance. Insurance policies play a role in risk mitigation by placing a price tag on a business’s cyber risk. By evaluating the potential profits of any venture against the impacts of the reputational and financial risks of a cyber event, firms can establish stronger governance guardrails at their most vulnerable touch points.
Innovations in better security technologies. Advances in tokenization, digital identity products, and quantum cryptography are emerging every day, and could add another layer of security over firms’ data.
As recent cyber breaches have demonstrated, companies are under more pressure than ever before to mount a robust response to cyber events. These attacks will not abate – in fact, there is little doubt that more frequent and severe data breaches are on the horizon, and the stakes have never been higher. Companies need proactively mitigate their cyber risks and leverage a whole-organization approach in order to minimize their impact.