Six golden rules for successfully managing cyber risk

But, for every yin there must be yang; and the seemingly boundless possibilities opened up by the connected business also come with risks. The more devices we have, and the more data they hold, the more risk they open up. As organisations strive to innovate and drive performance through connectivity, the very things they create engender more cyber risk.

This process can take a number of forms. New business models are creating organisations without borders; they need to protect data and personal information beyond their physical premises. Likewise, technology forces are driving complex, multi-vendor environments, which add vulnerabilities and new potential points of attack.

Products and the means by which they are produced, through initiatives such as Industry 4.0, are now connected too – adding even more complexity and millions more data points to our networks of devices. But in many cases, changes to applications and infrastructure do not adequately consider the new security ramifications this creates.

So the potential threats are multitude and evolving, as are their sources. A cyber-attack can come from hackers, activists, protest groups, criminals, nation states, or even someone within your own organisation. Likewise, they can be targeting anything within your business, from your production processes and the product itself right through to your IP, online presence and customers.

With so many potential aggressors, so many vulnerabilities and so many points of entry, it’s no wonder cyber incidents are so ubiquitous. But the good news is that there are many ways of mitigating cyber risk. The first step is to consider it from a range of different angles, among them: how does it affect customer protection? What does it mean from a legislation and regulatory compliance perspective?

Next, consider how different parts of your business, and the people within it, relate to cyber risk. The board may want to ask whether they feel informed enough. Different business units may want to consider how it could affect their ability to deliver safe and secure products.

Finally, it helps to look at where cyber risk is managed successfully. From our experience, they tend to have several common characteristics:

1. They are executive-led: Leaders set the stage by defining cyber risk management, outlining priorities, setting out how much risk they are willing to take and establishing mechanisms of accountability;
2. They involve everyone: All departments are included in cyber risk management to help them understand how it affects their side of the business and what steps they can take to mitigate it;
3. They are comprehensive and integrated: All potential threats to the business’s most important assets are considered, including people, process and technology components;
4. They focus on programmes, not projects: The best cyber risk management practices realise it’s a continuous process and review procedures regularly to make sure they are constantly fit for purpose;
5. They reach beyond your walls: Cyber incidents directly affecting your partners, suppliers and vendors may also substantially impact upon you – so keep that in mind and take the requisite steps towards protecting your business;
6. They demonstrate behavioural change: Many cyber breaches can be traced back to human error. That tells you that traditional security training, on its own, is not enough. Make sure you take all the precautions necessary and track their impact.

Whatever steps you take to mitigate cyber risk, ensure you’re adhering to three principles: security, vigilance and resilience. That means you have risk-prioritised controls put in place to defend critical assets, threat intelligence and situational awareness, and preparations in place to help you recover from any cyber incidents.

You may also be interested in:

Three ways we can encourage more “IT” girls
A day in the life of… Sithu Aye
A day in the life of… Elizabeth Hollinger
The Ascent of Digital: challenges and opportunities ahead for the public sector