Risk reduction and cybersecurity

Issue 3 2022 Security Services & Risk Management, Cyber Security

Risk management is critical to a business. We can find examples as far back as recorded history allows with ship and cargo owners routinely taking up insurance to cover risky voyages. Risk grew as companies became more complex, and today’s risk manager must juggle many physical and esoteric risk considerations.

It’s tempting to mitigate risks by nailing everything down, but that isn’t a practical reaction for certain parts of an organisation. Today’s business risks are not just about preventing the negative, but also supporting the positive.

Cyber risks are a perfect example. In an ideal world, a company would make its IT and data systems impenetrable. But employees, partners and customers need continual access to those resources. This tug-of-war between productivity and security is tricky to manage, and many risk managers find themselves outmanoeuvred by operational demands. Yet they are also at the forefront of helping make digital safe and practical for their businesses.

“Risk and IT professionals are converging around cyber risk,” says Lior Arbel, head of pre- and post-sales at cybersecurity audit service, Encore. “The IT guys understand the technical and process challenges of technology while risk managers translate much of that context for the business. For example, if a CFO weighs technology purchase decisions, they often take in the views of risk managers and as new technology regulations prompt more involvement from company leaders and boards, they also rely more on risk managers to add a business context.”

Risk is one of the ways a business strategically understands its technology. Yet grasping those risks is more often about complexity, Arbel explains.

“Companies are becoming very complex in how they operate and the environments they operate in. Risk management naturally rises to handle that complexity. Since digitisation introduces many new complicated relationships in a company, risk managers cannot avoid the topic. They have to be in the thick of it.”

The topic of cyber risk is complex and will occupy business theorists for decades to come. This article aims to answer a more straightforward question: how should risk managers think about cyber risk? What are the main considerations and red herrings? How would you know you’re mitigating cyber risk?

Six areas that help define cyber risk theory and practices

1. The types of risk: Cybercrime is the most visible cyber risk. Hackers attempting to breach company systems and steal sensitive information require serious responses. But there are also other cyber risks, such as employee negligence, abuse of systems, infrastructure failure, and poor legal compliance. Though some of these have straightforward mitigation strategies, it’s important to understand that all cyber risk interrelates. Just taking care of one area, such as regulation, won’t be sufficient.

2. The types of damage: To create an overarching picture of how to rank cyber risks, start with the potential damage – how an organisation could be harmed most. Stolen data is often the biggest problem. It varies based on the type of data, customer, personal, operational, company IP, etc. Business continuity is another big concern: will a cyber incident stop employees, partners and customers from transacting, and for how long? System downtime is often the costliest part of cyber breaches or negligence. Regulations are the third primary consideration: what are the legal implications and fines resulting from non-compliance?

3. Who owns the risk: Many organisations are still uncertain about who owns cyber risk or are unwilling to accept it’s no longer solely IT’s problem. Numerous laws, such as the Protection of Personal Information Act (PoPIA) and governance frameworks, such as King IV, place the responsibility on business leaders, the executives, C-suite and board. It’s not just a question of compliance. Technology is so intrinsic to modern business that leaders must accept technology as a strategic responsibility. It influences their costs, current performance, future investments, and the full gamut of strategic requirements: strengths, weaknesses, opportunities and threats.

4. Identifying risks: There is no single or large act that will sweep across cyber risk. Instead, most risks exist in specific areas of the business. For example, the storage, flow and access of personal identifiable data (PID) creates a number of risks related to compliance, employee behaviour, access rights, infrastructure performance, and operational efficiencies. Yet there will be many overlaps, PID might transact on collaboration systems that also work with company IP data.

5. Mitigating cyber risks: You might be shaking your head: cyber risk is holistic and all-encompassing but also specific. Where do you start? The good news is that you can exploit overlaps in cyber risk. For example, focusing on PID risks will reveal risks in other areas that often benefit from the same mitigation strategies. Stricter access management of user accounts around PID can help reduce risks, as can meeting ISO/IEC 27001 compliance. Improving PID database infrastructure can also improve productivity for other types of data.

6. Create a cyber risk culture: A collaborative culture is essential to mitigate cyber risks. Risk managers and technology managers should work together to understand different dimensions of the problems and opportunities at hand. Employees must receive training to help avoid negligence. Companies should employ senior security managers, and if they can afford it, a chief information security officer (CISO). Crucially, the C-suite and board must have access to someone with security knowledge.

These considerations are broad and demanding, shortcuts are few. But risk managers can still generate a few quick wins. Foremost, support the security teams. Good digital security is a complex and layered discipline, and security professionals can spend a lot of time finding gaps, poor configurations or over-powerful user accounts.

Invest in security and user account monitoring/audit software. Also look at enhancing security monitoring with service partners to provide security orchestration, automation, and response (SOAR), security information and event management (SIEM) and a security operations centre (SOC) as services (often under the banner of managed security services).

Above all, build closer ties to technology and security leaders. Don’t just rely on blunt mitigation strategies such as cyber insurance. Reducing cyber risk is a culture and strategy. Embrace that concept and you'll take control of cyber risk.

Find out more at www.encore.io

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Sustainability School opens for enrolment
Education (Industry) News Security Services & Risk Management
Three-part programme, first developed for Schneider Electric employees, is now available for free for companies worldwide. Attendees learn how to future-proof their businesses and accelerate their decarbonisation journeys.

Success in business process best practices
Technews Publishing Kleyn Change Management Editor's Choice Integrated Solutions Security Services & Risk Management
This month we commandeer time with the woman who is spearheading our national conversation on Women in Security, Lesley-Anne Kleyn, to get to know the lady herself a little better.

Addressing the SCADA in the room
Industrial (Industry) Cyber Security
Few other sectors command the breadth of purpose-built and custom devices necessary to function, as the industrial and manufacturing industries. These unique devices create an uncommon risk that must be assessed and understood to fully protect against incoming attacks.

Security awareness training
Training & Education Security Services & Risk Management
It is critically important to have a security awareness solution that uses the limited time available to train effectively, and one that provides targeted education that is relevant to users.

Technology to thwart solar panel thieves
Asset Management, EAS, RFID Security Services & Risk Management Products
A highly efficient industrial network is coming to the rescue of the solar industry, as solar panels, inverters and batteries are being targeted by thieves and threaten to destabilise the industry.

Banking the unbanked comes with security risks
Financial (Industry) Security Services & Risk Management
As grim as it was, the pandemic of recent years and its resultant global economic crisis were a prime catalyst for record number of first-time bank users, the previously unbanked.

Security is like infinity
Alwinco Security Services & Risk Management
Security needs constant attention, dedication and input. The scary thing is that most people think that security is something that you buy, install, and then forget about.

Vulnerabilities in industrial cellular routers’ cloud management platforms
Industrial (Industry) Cyber Security Security Services & Risk Management
Research from OTORIO, a provider of operational technology cyber and digital risk management solutions, unveils cyber risks in M2M protocols and asset registration that expose hundreds of thousands of devices and OT networks to attack

SAFPS to launch a platform to combat fraud
Editor's Choice News Security Services & Risk Management
In response to the growing need for a proactive approach to fraud prevention, the SAFPS is developing a product called Yima, which will be a one-stop-shop for South Africans to report scams, secure their identity, and scan any website for vulnerabilities.

NEC XON appoints Armand Kruger as Head of Cybersecurity
News Cyber Security
NEC XON has announced the appointment of Armand Kruger as the Head of Cybersecurity. Kruger will oversee all cybersecurity offerings including cybersecurity strategy, programmes, and executive advisory.