In the digital economy, managing cyber risk is key

My two previous “digital-focused” columns have covered general points around managing risk in the digital age, and how artificial intelligence (AI) and the automation age are providing new opportunities to improve how we take and manage risk. This third article looks at how we must manage cyber risk as organisations digitise their operations.

The digitisation of business and commerce is reaping significant benefits for organisations around the world. As risk practitioners, we must work with our businesses to help them maximise these benefits and to manage the cyber risk that comes with these initiatives.

Disruptions from cyber-attacks hurt businesses large and small on a regular basis. Several large companies, for example, have been subject to malware attacks this year incurring multi-million-dollar losses in lost sales and other significant impacts, and cases of large-scale, high-profile data breaches continue to be reported. Regulators in different jurisdictions are preparing measures to penalise businesses that do not take appropriate action to mitigate the risk of cyber-attacks.

The threat of cyber-attacks is growing as businesses increasingly go digital – as seen by recent results of a UK survey of key risks by CNA Hardy, which placed cyber risk as a top threat. As we digitise our businesses, and reap the rewards of doing so, the need to ensure our digital networks are secure grows ever more critical.

Back in 2013, the data hack of the retailer, Target, was shown in the subsequent “kill chain analysis” investigation to have started from a breach of an air conditioning system.

That was before the Internet of Things became widespread. These kinds of “back door” hacks continue to be a threat. Companies need to ensure their digitisation strategy considers many factors to prevent cyber criminals accessing to their network for malicious purposes.

As an article in The Economist has outlined recently, two principles can guide the way that we protect ourselves against cyber threats.

The first is to manage cyber-security in layers. Risk managers can help businesses to understand what these layers need to be, and what controls are required. Using common risk analysis techniques such as Bow-tie analysis and scenario planning we can help people to think through preventive, detective and mitigating controls to guard against cyber risk and to agree actions, controls and performance standards that need to be in place. Good crisis simulations and exercises can help businesses to work through how they would respond to a serious network breach.

Various technical solutions exist for preventive and detective digital network controls; smart monitoring of them is crucial. On risk mitigation, the segregation of networks across the business can reduce the impact of cyber hacks that manage to penetrate digital defences.

Another important prevention control is education. A lot of cyber-crime continues to result from people being tricked into providing information: ensuring that your people are vigilant against this threat is important.

The second principle is to carefully consider your management of data, including how much of it is stored, where it is stored, and for how long. Data and information is an increasingly valuable asset, and the success of using of digital technologies such as AI encourages us to retain more data than ever before. Whilst there are undoubtedly significant benefits to doing so, we must protect our digital infrastructure and our data against cyber-criminals.

Risk managers can help businesses to look at data management in the context of different consequences that a serious data theft can lead to – financial cost, legal fines, reputational impact, potential HR issues and business disruption. You may find that tools such as risk appetite can help you determine the costs you incur to guard against data theft.

In my first two articles on the digitisation of business I have reviewed the many benefits that the digital age brings to commerce and industry. These benefits need to be considered alongside safeguards (controls) to manage the threat of cyber-attacks. The application of good risk management can help us to achieve our business aims through digital strategies whilst safeguarding us against the threats.