Every modern organisation knows that cybersecurity is a hot topic. From high profile breaches in the news to increased investment in security talent across industries, there’s little doubt that companies need to wake up to the risks of cybercrime.
But this doesn’t always translate into action on a day-to-day level, and it’s unclear just how many businesses are taking enough accountability on cybersecurity.
Nicola Crawford, CFIRM, Chair of the Institute of Risk Management, said in the organisation’s 2017 Risk Predictions: “Enterprise Risk Management has never been higher on the agenda; organisations need to ensure that risk in the boardroom is taken seriously to ensure organisational success and longevity.
“Disruptive business models, the Internet of Things and the impact of a more connected world will all be factors changing the way we work. Although these are exciting times, the role of the risk manager has never been more important, with many opportunities and challenges for business.”
Over the last 12 months, RSA found that the vast majority of organisations included in their survey had experienced a significant cyber event that negatively impacted operations, and 5 per cent reported more than 40 of these attacks.
Whose responsibility is it?
Primarily, setting your risk appetite is about determining how much risk your company is willing to accept while still comfortably achieving business objectives. All of this depends on the nature of said objectives, as well as the size and complexity of the organisation as a whole.
Some losses may be deemed acceptable, while others too costly.
Division of this accountability is key, and should be split between the CEO, CISO and CRO to ensure business objectives and risk are balanced in accordance with goals and priorities across the entire organisation. Security takes resources, and they have to come from somewhere.
This also ties into the concerns companies have in relation to risk management, with reputation loss coming out top in RSA’s cyber risk survey (download here). Perhaps a less tangible problem than business interruption or breach of customer information – second and third, respectively – a hit to reputation can have potentially devastating long-term consequences that are more difficult to measure.
Understandably then, the focus of most organisations is external threats coming in from outside the company, but attention must also be paid to those internal risks that could similarly harm the business. Many of these can be unintentional and the result of human error, but they can be equally dangerous if not properly managed.
How often should cyber risk be reviewed?
Cyber risk is not a fixed, unmoving thing, and shouldn’t be treated as such. Determining a company’s risk appetite, then, should be an ongoing process that is continuously reviewed. Cyber attacks are rising with alarming frequency and growing more sophisticated, with almost seven in ten large business identified a breach or attack in the past year, according to a Gov.uk’s Cyber Security Breaches Survey 2017.
Ciaran Martin, CEO of the National Cyber Security Centre, said: “By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities.”
There does appear to be an uptick in accountability amongst companies, with 65 per cent telling RSA that cyber risk is now a regular topic brought up at board meetings. However, of these organisations only 23 per cent claim it is brought up in every meeting, with the rest discussing it every other time.
The remaining 36 per cent of respondents to RSA’s survey (read more of the results in the full report, which you can find here) continue to risk the security of their organisations, with 17 per cent admitting that the matter is discussed just once a year and 16 per cent dealing with it ‘ad hoc’.
Determining cyber risk appetite has never been more important, and business leaders must work to bring these discussions into board meetings with more frequency. As the cybercrime world evolves, so too must its potential victims.
Source: ITPro, Caroline Preece.