Cyber risks like data breaches and ransomware are too often shrugged aside. The possibility of a cyberattack is rarely ignored, but it also rarely receives the attention it deserves. There are a few reasons for this:
- Risk-based governance vs technology. Cybersecurity incidents result from internal governance deficiencies as often as from vulnerable technology. 63% of data breaches are caused by weak or infrequently changed internal passwords, according to Verizon's 2016 Data Breach Investigations Report.
- Some companies delegate cybersecurity responsibilities to one department. In these cases, one person (a chief technology officer (CTO) or chief information security officer (CISO), for example) heads the whole initiative. This individual is not directly connected to other senior executives. This siloed approach is inefficient for all business processes, not just cybersecurity. Risk should be a part of everyone's job description; a true risk-based process cuts across silos.
- Key personnel overestimate the strength of their cyber programs, increasing the likelihood that an incident will take them by surprise. According to a report by BAE systems, 96% of survey respondents report their companies' information security is good or excellent, but nearly 70% of companies leave themselves vulnerable to attacks by holding cyber training programs semi-annually at best.
- Organizations naturally assume data is secure and that the chance of a breach is very small. It's a mistake to think the strength of your cybersecurity defenses doesn't come into play unless your organization suffers an attack. For one, a clean track record doesn't mean there's nothing to worry about. This year alone there have been nearly 700 data breaches and 30,000,000 records exposed, according to the ITRC, and Dwolla was fined by the CFPB for misleading customers about their data security practices although no breach occurred.
Minimize Cyber Risk with a Dynamic, Risk-Based Approach
There's another motivation for developing a strong answer to cyber risk, as we discussed in a joint webinar - How to Strengthen Cybersecurity with a Risk-Based Approach - with OCEG in September. You can be slapped with hefty risk-management negligence penalties even if there is no attack. As Dwolla - a small, private company - found out the hard way, regulators like the Consumer Financial Protection Bureau (CFPB) randomly select companies to evaluate.
Executives have a personal stake in this process, since "liability for data breaches that affect customers leads directly to the C-suite," according to the Harvard Business Review. Risk management negligence is much easier to prove than fraud, and standards like the Yates Memo and the SEC's proxy disclosure enhancements make it ever more difficult for culpable individuals to hide behind the company.
It's not enough to schedule annual security assessments and then tend to other responsibilities. Cyber threats are constantly proliferating (see our previous post, "New Technology Brings New Risks"). Executives need to start by understanding their current procedures.
The best way to accomplish this first step is by adopting a root-cause risk library, which can be used to push risk assessments to different areas. Risk assessments are the foundation of threat mitigation, and when they reach all the way down to the front lines, they're indispensable tools. As we discussed in our recent webinar with OCEG, risk management creates a common framework for all governance areas to help manage risk and allocate resources towards more effective controls, starting with risk identification.
Executives clearly can't be directly involved in mitigating every cyber risk, but by pushing out standardized risk assessments, they can:
- Control the frequency of assessments (rather than being set at once a year, risk assessments can be pushed out at smaller intervals or in response to particular events).
- Receive information from front-line managers that demonstrates the alignment between objectives and day-to-day operations.
Designing your cybersecurity program with a risk-based approach makes it standardized, regular, and easy for different departments to understand. It also makes it easy for senior executives to ensure their strategic objectives are incorporated into day-to-day operations.
The majority of breaches can be prevented with an enterprise risk management approach. Target, Wendy's, and many others were breached not because of technology, but because of poor third-party risk management. Cyber insurance is immature and doesn't currently provide protection over third-party breach risks, punitive damages, or class action law suits. All of these are avoided with evidence of an effective risk management program.
Assess the effectiveness of your ERM program here.
The uniformity of the risk-based approach allows for the most specialized cyber officials, like the CTO or CISO, to take the lead but still "work with each team to determine ways to reach goals in the most secure fashion," according to the Harvard Business Review.
To learn more about taking a risk-based approach to cybersecurity, download our free eBook, SEC Cybersecurity: An Annotated Guide. Also download our presentation with OCEG, How to Strengthen Cybersecurity with a Risk-Based Approach.