Enemies at the virtual gate
In your experience, how is cyber-crime currently viewed within the governance landscape?Risk-management professionals around the world overwhelmingly view cyber-risk as one of the top risks organizations must address. It stems from a greater dependence on technology. Businesses are racing to keep pace with the world around them, competitors and customer demands. Many are adopting new technologies too quickly, without doing proper due diligence regarding the impacts and exposures new technologies can present.
Governance provides structure to technology adoption and, as such, offers checks and balances to ensure all stakeholders within the organization are aware of the technology and its propensity to deliver value, as well as the potential exposures. With governance processes in place, organizations are better positioned to monitor the implementation of technology and develop robust cyber-security measures accordingly.
What are the main cyber-security threats IROs need to be aware of?While robust data security measures are vital to prevent business interruption losses and ensure compliance with data privacy laws, it is also important for IR professionals to recognize a cyber-breach’s impact on corporate reputation.
It takes years for an organization to build its reputation, but the onset of a cyber-attack – especially one that results in business interruption or compromised customer data – can shatter that reputation instantly.
There are several marquee examples of organizations that failed to adequately protect data and immediately saw an erosion in stakeholder and investor confidence. Articulating the connection between a cyber-breach and corporate reputation to leadership will help IROs get the resources they need to proactively prepare for an attack and efficiently lead the response to one.
What counter-measures can IR professionals take?From the risk professional’s perspective, organizations that are proactive about cyber-risk are better equipped to rebound post-attack. The same holds true for IROs.
Establishing a cyber-breach crisis team in advance is a best practice for successfully managing an attack. Made up of business leaders from across the organization – including IT professionals and risk-management leaders – the team can enhance cross-departmental communications and help inform crisis response.
Additionally, a team approach creates a channel for incidents or suspected attacks to be escalated to a higher priority for response and mitigation. It also enables the organization to identify the business areas that will be impacted, as well as guide how the organization should address the situation.
Stakeholders are going to want to know exactly what happened as well as what steps the organization is taking to prevent that situation from ever happening again.
To that end, organizations that are forthcoming and that provide clear and concise messaging are much more likely to maintain public trust and consumer loyalty.
Establishing a cyber-breach crisis team in advance is a best practice for successfully managing an attack
What should an IRO’s response plan look like if a cyber-attack occurs?Each organization and each cyber-attack is different but establishing a team of professionals to lead the organization’s response will significantly improve its ability to reduce the impacts of a breach.
An IRO’s plan must include a framework for the organization’s experts to not only share insight on the cyber-attack, but also help other stakeholders – who perhaps do not have the same expertise – to understand the situation.
Once the situation is fully understood and can be expressed in a way that is easily digestible by the broadest group of stakeholders, IROs should work with their crisis communications team to inform those affected, keep them abreast of the situation and outline the security measures the organization has embraced to prevent a recurrence.
Can companies do anything else to protect themselves?Many organizations have opted to buy cyber-insurance that can, in fact, support an organization’s response to a cyber-attack. It is imperative that IR professionals work closely with their risk-management teams to fully understand what exactly the insurance product covers, as well as the suite of services that may be included in the policy, such as threat monitoring, forensic investigation and crisis management support.
