There are three primary reasons all risk professionals should actively manage cyber risk: to comply with regulations, its frequency, and its severity. But what can be done about this problem? In a study by Accenture Insurance, only 43% of executives believed that their organization’s cyber defence was fully functional. Cyber risk is a difficult threat to manage as technology is constantly changing and there isn’t one clear cut solution. This list of strategies can be used individually or in tandem to reduce any organization’s cyber risk.
1. Monitor the risk environment
Risk professionals should continuously monitor potential risks and explore new trends as they arise to determine what will be most likely to impact the organization. Quantify exposures and vulnerabilities on a big-picture scale to create a thorough understanding of the risk environment. New cyber risk factors could include a change in common hacker strategies, a newly identified gap in the security system, or an updated technology that leaves current systems out-of-date.
There are many risks included under cyber risk: data breaches, system maintenance, data sharing with external parties, and so on. Risk teams must decide how to handle each one:
- Avoidance means they will not partake in that activity as it is viewed to be too risky
- Acceptance, or understanding it is inevitable and potential benefits outweigh the risks
- Control through implementing mitigation strategies to reduce the frequency or severity of an occurrence
- Transfer is available through cyber liability insurance, a new trend soon expected to be as popular as general liability insurance. These policies may cover interruption and recovery costs, liability claims, cyber theft and extortion costs, and more. Allianz Group’s Guide to Cyber Risk discusses cyber risk policies in detail.
Each individual risk may lend itself to one or more of these strategies; the appropriate response can be developed through experience and industry knowledge.
2. Monitor data assets
With the help of their team, risk professionals should identify the most valuable data assets stored in their system and monitor them regularly. Confidential information such as credit card information or trade secrets are more likely to be the target of a cyber attack, so these items should be guarded closely.
3. Create a risk plan
The organization must develop response and continuity plans for cyber risk scenarios by brainstorming potential situations and determining a course of action for each one. It’s important to remember that with cyber issues or attacks, one problem can impact the entire organization, so be sure to incorporate multiple departments into the plan. Discuss and practice the plan with key stakeholders, so each employee will know their role and can act quickly if the situation arises. In times of need, a prompt and organized response can prevent a problem from escalating.
When the cyber risk plan has been created, it must be written down and communicated to all employees. There is no point developing these procedures if they are not formally implemented throughout the organization and their importance stressed. Cyber security and risk mitigation must become an integral part of the organization’s culture and values.
4. Gain management support
Top management must be on board with risk management activities. With the active threat that cyber risk presents, this shouldn’t be difficult to accomplish. They should embody the secure practices set out by the risk management team to send the message to employees that appropriate behavior is expected. For tips on gaining management support on any type of project, read "7 'Easy' Steps for Convincing Senior Management to Support a Hard Change".
5. Prepare employees
It’s important to stress that cyber risk is not solely the responsibility of the risk department or IT. The risk management function should no longer be siloed; all departments should be encouraged to contribute.
All employees should be trained and educated to act in the most appropriate ways regarding cyber risks. The risk team should actively create awareness for issues and promote a safety culture. The cyber risk protocol should be well defined, as well as the human factor of cyber risk: many breaches come from an internal source, whether from an accidentally created vulnerability or intentional malicious action. One common issue that stems from employees is social engineering, which uses strategies such as phishing to trick people into revealing confidential information. More information on types of social hacking and preventing it can be found here. Working with employees on cyber security reduces the potential occurrence of both of these issues.
6. Build strong external relationships
If something does go wrong, the organization needs appropriate relationships with response teams. Public relations, media, and lawyers may be crucial in responding to a cyber attack or data breach and its aftermath.
While data sharing with external parties is necessary and beneficial for almost all organizations, this does present an additional risk. The risk team should ensure that they are not over-reliant on external parties. Further, before sharing any type of data with a third party, perform due diligence on their privacy, security, and technology standards to ensure that they can be trusted with confidential information. Certifications, contracts, and other information should be acquired. Cloud-based solutions are typically more secure than traditional storage systems (Read: Cloud Storage is Much More Secure Than You Think, by Forbes), but in risk management, one must always be cautious.
7. Enforce security protocols
End-to-end security should be installed on all devices. Create and enforce password policies across the organization, with a required level of security and change frequency. If employees use their own devices to complete work from off-site, ensure that this data is also password-protected and encrypted. Authentication and user roles can be used to ensure that no one enters the system without permission; if they do, any changes to data will be monitored. Server protections and certifications can be obtained to ensure that systems are not vulnerable to outside attacks.
Ensure that all data is regularly backed up, and that all off-site back-ups are complete and up-to-date. This will ensure that if a cyber attack happens, valuable data won’t be lost.
When possible, consolidate systems and information into one source. If information is scattered across multiple locations, it will be much harder to adequately protect and monitor. Simplifying the system can also create efficiencies for the IT team, allowing them more time to focus on actively reducing cyber risk.
8. Evolve with the technological environment
Technology is constantly changing, and systems must evolve to keep up with it. Risk teams should consider industry standards, competitors, and internal needs when deciding to implement new technology. While large pieces of equipment obviously cannot be replaced with every new iteration, they should still be updated and maintained to ensure they remain up to standard. An old, weak system is an excellent target for hackers.
Cyber risk is one of the most prevalent threats in any industry today; it’s no wonder that risk professionals are concerned about it. (For more details, next week we will be publishing a blog post on the three main reasons to manage cyber risk). However, with careful thought and action, the risk can be reduced to a manageable level. Many hackers look for easy targets when planning their next attack, so if an organization is reasonably protected, there is a reduced risk of being a victim.
ClearRisk’s Risk Management Information System helps risk teams predict and prevent cyber risks. Our system enables the creation and sharing of risk management plans and is built on the #1 cloud-computing platform in the world. Our system blocks unauthorized data to your system and is consistently updated to maintain the highest security standards. Want more information?
If you found this article helpful, you may be interested in: