Digital technologies have evolved more rapidly than any innovation in the history of mankind. Digital advances, new devices, and media have given us great benefits, and offer immense opportunities but their usage also exposes us to considerable cybersecurity risks. Every day the media is reporting on new data breaches and cybersecurity-attacks. Organizations suffer financial losses, reputational damages and regulatory penalties. The challenges arise as a result of human error, technology misconfiguration or deliberate wrongdoing. Many governments and regulatory bodies are coming up with new laws and regulations to protect assets and national infrastructure.
In many organizations the risk management team is responsible for managing cybersecurity-risk. They should have a full understanding of the risk landscape and the tools and techniques that are available to address them. Recently the trend is that both regulators and investors expect an organization to provide information on their cybersecurity exposures, which should be combined with the organization’s overall understanding of risk exposure and appetite.
Cybersecurity-risk is never a matter purely for the IT team. Organizational factors are just as important as having the right hardware and software and are critical to having a cybersecurity-aware business culture.
What is Cyber-risk and Cyber-risk appetite?
Cyber-risk is any possibility of financial loss, disruption of services, information disclosure or damage to the reputation of an organization resulting from the failure of information technology systems.
Cyber-risk appetite is the level of cyber-risk that an organization is prepared to take on in order to achieve its objectives.
Why us? Small and medium businesses are not immune to cyber-risks!
There is growing evidence that cyber criminals are targeting these organizations, since they lack cybersecurity expertise. The following data is worth noting. Firstly, 46% of all cyber breaches impact businesses with fewer than 1,000 employees. Secondly, 61% of SMBs were the target of a cyberattack in 2021. Lastly, 37% of companies hit by ransomware had fewer than 100 employees. Statements like “we are too small to worry about that” – or “we don’t have any data worth stealing” are clearly no longer accurate. For those who think their business has a low profile and is not on the radar of hackers – I plead you to think again.
Do we need cyber insurance?
Several of the risks of a data or security breach can be covered by having a cyber insurance policy. This is part of your cyber-risk control program. In our opinion one of the most helpful things about seeking cyber insurance is that it requires companies to have sufficient controls and preparation in place just to be considered eligible for the insurance. The implementation of controls, including incident response plan, is not only helpful, but necessary.
Organizations should have a comprehensive strategy for what happens in the event an attack occurs, including how they are going to recover from financial losses and reputational damage. That’s where cyber insurance is, of course, also beneficial. A cyber insurance policy will possibly assist a company in dealing with costs during and after an attack.
Is training important?
Yes! People are the weakest link in the chain, and they are also the business’ main asset and defence. Investment in employee training programs can help, particularly where account is needed of the organization’s risk culture and how this influences the transfer of what is understood into daily task in the workplace.
A few questions your organization can ask itself:
- Do we have organization wide risk management program in place and is a cyber-risk program fully integrated into this program?
- Do we have roles and responsibility document for risk management function?
- Have we considered risk appetite in relation to their cyber-risks?
- Do we invest adequately in cyber-risk treatment?
- Does our organization’s culture encourage the necessary actions to manage risk?
- Do we have internal audit program for cyber-risk management?
- Do we have any mechanism in place to know if we are being attacked?
- Do we have a tested incident response plan?
- Who declares a cyber-risk incident?
- Do we include cyber-risk scenarios in our business continuity plan?
- Do we have an effective cyber-risk training program?
- How do we report breaches and subsequent actions?
If these questions leave you uncertain, confused or just plain worried, first know that you are not alone. The IT and cyber security landscapes are increasingly as complex as they are necessary. You do not need to solve all your business’ IT and cybersecurity concerns alone – that’s where we come in.