Risk managers have their work cut out when it comes to bringing cyber danger to the attention of their company’s board and convincing directors of how to counter the threat
Cyber attacks continue to increase in frequency and sophistication. However, a recent study revealed that between 70% and 80% of cyber attacks can be attributed to fundamental security weaknesses. This shows that companies should be doing a lot more to protect their private data and reduce potential disruption to services and operations.
According to Airmic chief executive John Hurrell, this complexity is making it difficult for risk managers to communicate potential liabilities to the board.
He says: “The challenge is that technology is getting more and more complex and difficult for any individual, including the IT director, to understand what the risk profile of cyber looks like.
“With this being the case, what chance does the board have of understanding what the risk profile looks like? And yet, the board is taking strategic decisions on IT investments, budgets and the role that IT is going to have in supporting strategy, without being able to fully understand the risks.” For many risk managers, this is the main gap they are striving to breach.
Another problem posed by cyber risk is that, above most others, it is fragmented. Often, it can cut across the entire organisation, and a number of people undoubtedly always control different elements. Particularly, it can affect both the service operations and the corporate function of an organisation.
According to InterContinental Hotels’ head of risk management John Ludlow, this is where the risk manager’s role, as ever, is to co-ordinate. He says: “If somebody whispers in the risk manager’s ear that there is a problem, then his or her job is to cut across the silos, and co-ordinate the management of the risk by gathering everyone together.”
Ludlow has recently begun initiating a security programme at InterContinental Hotels Group. The first thing he did was to identify properly the risk and understand its scope and possible effect. He says: “Once we had done this, we were able to write a white paper that we circulated among all interested parties.
We then had a workshop where we discussed the risk, and then set about coming up with a common strategy on how we would counter the risk.
“Each workstream has now gone away to write a paper, after which a small group of us will consolidate all those papers and come up with a strategy and a way forward that will then be presented to the board. We’ll then go to the executive, the audit and the board and say, ‘you may have not heard of the threat of cyber, but this is roughly what it is, this is roughly what it means for the company and this [is what] we propose to do about it’.”
Strategy across the company
Asking questions such as ‘what databases have we got that might be of interest to cyber criminals?’ and ‘what systems do we have that might be vulnerable?’ is a great way to begin to understand a company’s liabilities, and can help to produce an information security policy and a set of standards that can be presented
to the board and then implemented across the service and corporate structures.
Ultimately, cyber risk is difficult to quantify. But as Ludlow points out, this makes it all the more compelling to the board of a modern-day company.
He says: “I’m not sure you can quantify the risk too much other than to say your reputation is on the line and, in today’s interconnected world, reputation is everything.”
Some companies know this more than others. Rumours about hacking in some financial institutions have led to customers switching accounts. When Sony’s PlayStation network was hacked and temporarily taken off-line last year, gamers flocked to buy competitors’ consoles, rather than wait for the network to come back online. Instances such as these have resulted in cyber risk reaching the ear of boards across the globe. It is now important for risk managers to develop a solid strategy that they can present to the board to spread an awareness of cyber risk throughout the company. SR