How Cyber Resilience Helps With Managing Business Risk

Back to Protecting your Business

How cyber resilience helps with managing business risk

Historically, cyber resilience was seen as the job of the information security team alone, but times – and expectations – are changing. Now more than ever, company executives must take greater responsibility for their organisation's ability to prevent, withstand and respond to cyber attacks, say two leading consultants.

One of the biggest mistakes companies make around cyber resilience is seeing it solely as a technology issue, when actually it is a business issue. So, while the Chief Information Security Officer's (CISO's) name might still be synonymous with cyber security, executive management and the board also need to step up to the plate.

In the words of Nick Seaver, Partner in Deloitte's Cyber Risk Services Team: "Cyber security needs to be owned by the executive committee." This, he says, includes ownership of wider cyber governance as well as providing strategic input to an organisation's cyber risk framework and risk appetite. "The board then need to ensure they have the skills and knowledge to appropriately guide and challenge executive management," he adds.

Ian Benson, Director, Cyber Security, PwC, agrees that the board and executive team should be taking a more active role in cyber resilience, but starting with the fundamentals.

"Firstly, they need to understand their own digital footprint – including their external exposure and how that could be leveraged to attack them. After all, CEOs and CFOs are increasingly being personally targeted by hackers. Secondly, they need to be active in setting the tone from the top, to help instil a culture of cyber security throughout the organisation."

According to Seaver, this 'tone from the top' should be set by board members having active visibility of their cyber security and resilience programs. This, he believes, should include regular briefings from executive management and delegated specialists around the latest threats, unsuccessful or successful breaches, and mitigation measures where controls have been found to be insufficient or compromised.

A positive philosophy

Benson advocates a slightly different approach alongside this. "The board needs to help spread the message that cyber resilience is an enabler and that being good at security can have a positive impact on the business – potentially helping the organisation to be quicker to market, or making it easier for the company to reach customers through digital channels. Talking about it in those terms really helps to define the culture," he notes.
The reason Benson believes that instilling a culture of cyber security across the whole organisation is so important is that "the large majority of cyber attacks begin with the end user." These attacks might include an employee clicking on a phishing email, or being socially engineered to disclose their password. "Unless you instil that culture right across the business, and make cyber resilience a part of everyone's role, you're never really going to tackle the problem," he explains.

Of course, training is an important tool in reducing that end-user threat, and both Benson and Seaver cite a lack of focused cyber awareness training as a common pitfall among companies of all sizes. Further investment in training should be high on the executive agenda therefore.

Avoiding the traps

Another frequent oversight is spending insufficient time planning and practising how to recover from an attack. "Corporates need to take a structured approach to cyber security – identify, protect, detect, respond and recover. Too often organisations focus on just one part of the process , such as having controls in place, and don't spend enough time on planning the recovery piece," says Benson.

"Investment in pre-event cyber-specific planning is crucial," agrees Seaver. "The development of predefined playbooks that set out the considerations and likely options can help guide any organisational-wide response," he notes. Cyber simulations are another important tool that can help the board and company executives to make difficult decisions in the event of a cyber attack, say both Benson and Seaver.

From dealing with the press to communicating with shareholders and cutting off certain parties' access to systems, 'dry runs' can "help everyone understand their roles and responsibilities in a cyber incident or crisis, both internally within the organisation and externally within their sector," notes Seaver. Moreover, war gaming and simulations to 'stress test' incidents and crisis response plans can actually help identify the strengths and weaknesses of an organisation's cyber capabilities, he adds.

What all this talk of planning and practising highlights is that people and processes, not just technology, lie at the heart of successful cyber security – which is precisely why boards must increasingly take responsibility for cyber resilience.

Further information on tackling cybercrime risks.

Useful links

Find out more

Is your business as resilient and ready as it can be to face and recover from unexpected events such as fire, flood and civil unrest?

Stress can have a significant personal impact and present a risk to the business. What are the causes and how can you manage it?

Ina world that’s more connected than ever, there’s an even greater need for security.

In a world that seems to be constantly changing, growing your business can seem challenging at times.

One method of protecting accounts receivables against unexpected loss is to use trade credit insurance.

As the UK moves into a new era of overseas trading relationships we reveal the risks and rewards and how you can protect your business when trading internationally.

A business should protect its name and its ideas just as readily as it would secure its physical assets.

China's lure as a lucrative market for British firms comes with a warning: look after your brand.

Criminals sought to exploit digital weaknesses of small companies in order to steal sensitive information and disable their websites.

Need help?

Get in touch to learn more about our banking solutions