Winning the cyber risk battle
Despite heightened attention and unprecedented levels of security investment, the number of cyber incidents — and their associated costs — continues to rise
Despite heightened attention and unprecedented levels of security investment, the number of cyber incidents — and their associated costs — continues to rise. The concern typically revolves around the growing sophistication of malicious hackers and other adversaries, and whether being secure is even possible in today’s rapidly evolving landscape of cyber-attacks. Two important questions as to the underlying reasons for this trend and how organisations can actually reverse it to start winning the cyber risk battle need to be addressed.
The first – the underlying reason - has a lot to do with your organisation itself. It is not just about the sophistication of the external actors, but how by increasing your own digital reach adds layers of complexity, volatility, and dependence on infrastructure that is not fully within your control. Your efforts to grow, serve, differentiate and streamline, introduce new gaps and opportunities that attackers will try to exploit. When you consider this inherent link between business performance, innovation and cyber risk, it becomes clear that protecting everything — while perhaps not impossible would be economically impractical and would be likely to impede some of your most important strategic initiatives.
The second cyber incidents occur every organisation must realistically assess its changing risk profile and determine what levels and types of cyber risk are acceptable. So understanding cyber risk starts with specifics. By identifying the specific threats facing your organisation enables you to better prioritise what to secure, determine how best to monitor it, and decide what types of incidents to prepare for.
Global banking cyber threats
Globally there are some recent generic, typical cyber threats that include:
- The impact on nation-states, global organised criminal gangs and skilled hacktivists or hackers
- Destructive attacks and loss of client and investor confidence
- Cyber dependencies across the ecosystem between financial institutions, critical suppliers, and industry partners creating high levels of third party risks, insider risks, and social media risks.
In the following chart we call out the very high, and the high, moderate and low areas of concern around cyber threats - the actors and their impacts in the banking sector.
In a world where it is not feasible to be 100 percent secure, it is of course critical to protect your most important assets. But you must focus equal, and in some cases greater, effort on gaining more insight into threats, and respond to reduce their impact.
Through an ongoing program to become secure, vigilant, and resilient, you can be more confident in your ability to reap the value of your strategic investments.
Malicious actors, especially those motivated by financial gain, tend to operate on a cost/reward basis; if your defences are strong enough to raise their risks and level of effort relative to the value of what they can gain, they are more likely to turn their attention elsewhere.
Given the reach and complexity of your digital ecosystem, you can’t secure everything equally. Being secure means focusing protection around your organisation’s risk-sensitive assets — those that you and your adversaries are likely to agree are the most valuable!
This is usually critical infrastructure, applications, and data, as well as specialised control systems — but they’re not isolated components. They are part of larger services and transaction chains, so it is essential to address weak points along the end-to-end business process. As an example, strong asset management is a significant enabler of secure, vigilant, and resilient practices. For example, proper reconfiguration and decommissioning of laptops and servers are critical in preventing data leakage.
Mature processes maintain up-to-date tagging of critical assets that support high-risk areas of the business.
Being resilient means having the capacity to rapidly contain the damage, and mobilise the diverse resources needed to minimise impact — including direct costs and business disruption, as well as reputation and brand damage. While resilience requires investment in traditional technology-based redundancy and disaster recovery capabilities, the bigger picture includes a complete set of crisis management capabilities. Cyber war-gaming exercises reveal common issues that cause delays in responding as rapidly and effectively as a real crisis situation.
- Groups accustomed to operating in silos face challenges in agreeing the relative severity of an incident, and therefore the key actions needed
- Roles and responsibilities, despite the process manual, are often not well understood
- Lack of awareness of law enforcement structures and legal process can mean failure to capture valuable forensic evidence.
It won’t work without governance
Transforming from a traditional, standards-driven IT security program to a secure, vigilant, resilient cyber risk program is not just about spending money differently, it is a fundamentally different approach. Although critical such a program is unique to your organisation, there are some common characteristics:
- They are executive-led
- They involve everyone
- They’re programs, not projects
- They are comprehensive and integrated
- They reach beyond your walls
- They cover cyber risks not just cyber security.