Large organizations have always focused on managing risk, but the technological breakthroughs that have enhanced our world in countless ways have also transformed how leading executives engage in enterprise risk management (ERM). The pervasive and ever-expanding threat of cyber crime means that comprehensive strategies for cybersecurity are now absolutely essential for all organizations.
After all, a report by Cybersecurity Ventures estimates that cyber crime across the globe will cost more than $6 trillion annually by 2021.
The sheer magnitude of the crisis represents a cybersecurity call to arms, and seemingly no one is immune. By now, the list of data breach victims reads like a who’s who of major corporations, governmental agencies, retailers, restaurant chains, universities, social media sites and more:
The Department of Homeland Security, IRS, FBI, NSA, DoD
Facebook, Reddit, Yahoo, eBay, LinkedIn
Macy’s, Saks Fifth Avenue, Lord & Taylor, Bloomingdale’s
Target, CVS, Home Depot, Best Buy
Delta, British Airways, Orbitz
Equifax, Citigroup, J.P. Morgan Chase
Panera, Arby’s, Whole Foods, Wendy’s
The Democratic National Committee
Adidas, Columbia Sportswear, Under Armour
UC Berkeley, Penn State, Johns Hopkins
If you need another reason to drop everything and prioritize cybersecurity risk management in your organization’s overall ERM strategies and systems, consider the recent NotPetya malware attack. Described by Wired as “The Most Devastating Cyberattack in History,” it disrupted global shipping operations for several weeks and caused more than $10 billion in total damages while temporarily crippling such multinational companies as shipping giant Maersk and FedEx’s European subsidiary, TNT Express. All because hackers were able to infiltrate a networked but unsecured server in the Ukraine that was running software that made it more vulnerable to attack.
Despite these and countless other costly incidents and attacks, many organizations have not yet fully incorporated cybersecurity risks into their overall enterprise risk management frameworks.
3 Chief Obstacles to Cyber Security and ERM
The ever-expanding list of high-profile attacks and victims could be seen as evidence that, in many instances, “the adversaries are winning,” according to Richard Spires, a former chief information officer at both the IRS and the Department of Homeland Security. Or at least that there is much work to be done to combat the ongoing threat.
In a piece titled “The Enterprise Risk Management Approach to Cybersecurity,” Spires poses the question: “In an era of ever more sophisticated cyber security tools, how is it that we are actually backsliding as a community?” And he offers three key answers:
Complexity: IT (and cyber security) systems are by their nature extremely complex and in many cases far-flung, so creating airtight security is incredibly challenging.
Highly Skilled Adversaries: The hackers’ tactics and methods continue to grow more sophisticated. Plus, their risk is low because they are hard to catch. They are smart and, with billions of dollars on the line, more highly motivated than ever.
Lack of IT professionals: Cisco reports that 1 million cyber security jobs are currently unfilled on a worldwide basis and that “most large organizations struggle to find, develop and then retain such talent.” The shortage of qualified cyber security professionals with the right skills, knowledge and experience is an ongoing “crisis,” according to Forbes.
Uncle Sam Wants You… to Focus on Cyber Security, Enterprise Risk Management
One of the leading efforts to develop protocols that organizations can use to safeguard themselves is sponsored by the U.S. Government — the National Institute of Standards and Technology’s Cybersecurity Framework.
According to Gartner, more than 50 percent of U.S.-based organizations will use the NIST Cybersecurity Framework as a central component of their enterprise risk management strategy by 2020, up from 30 percent in 2015. This voluntary framework consists of “standards, guidelines, and best practices to manage cybersecurity-related risk,” according to NIST, which reports that version 1.1 of the Cybersecurity Framework has been downloaded over 205,000 times since April 2018.
Also, the Center for Internet Security (CIS) has produced “a prioritized set of (20) actions to defend against pervasive cyber threats.” CIS says its protocols are intended to provide “a roadmap for conducting rigorous and regular cybersecurity enterprise risk management processes that will significantly lower an organization’s risk of catastrophic loss.”
CIS, which claims its best practices could have prevented attacks like the data breach that hit the consumer credit reporting agency Equifax, also offers guidelines for the seemingly “overwhelming” challenge of how to build a cyber security compliance plan.
5 Helpful Tips for Cyber Security and Enterprise Risk Management
OK, how about some actionable tips for organizations looking to beef up their cyber security defenses and risk management profile?
Cultivate support of senior management — It is essential for organizations to have strong support for cyber security risk management on the senior management team and to tie it to their overall business strategy.
Increasing visibility/awareness — In addition to building up defenses to reduce risk, organizations must also “tear things down.” This means working to better understand the potential spectrum of risk by conducting comprehensive internal vulnerability scanning, penetration testing and “monitoring your infrastructure for the bad stuff.”
Limit your attack surface — Often referred to as “hardening” your potential targets and vulnerabilities, this refers to coordinating with IT in reducing your exposure and “locking things down.”
Build a culture of security among employees — Employees must be committed to cyber security and clearly understand their specific responsibilities. “Make sure that everybody’s trained, everybody knows what their role is within the organization to keep things secure,” said Yule.
Prepare an incident response plan — “You need to be prepared for when things go wrong,” warned Yule. Notice that he says when and not if. “Everybody will get breached at some point regardless of what you do,” so it is essential that everybody knows “what the plan is to contain and eradicate that threat when it happens.”
© De Angelis & Associates 2020. All Rights Reserved.