Cyber-attacks are becoming more state-of-the-art and sophisticated with each passing day. Unfortunately, while organizations develop new security mechanisms, cyber criminals are cultivating new techniques to sidestep them. Cyber risk is an ever-growing concern for businesses around the world, as data breaches make headlines with increasing frequency and the resulting financial and reputational costs mount.
One especially sobering example comes from the recent data breach at Target. On December 19, 2013, the company announced their point-of-sale card payment system had been breached, and debit and credit card details for tens of millions of customers had been compromised. As a result, Target is now liable for significant restitution to customers and suppliers, and it will also face closer scrutiny and possible fines from regulators across the country. The company acknowledged a noticeable dip in holiday sales due to the incident, and the reputational damage has been severe.
Of course, Target is not the only recent example of a major organization succumbing to hacker intrusions. Breaches have also been reported at companies such as Snapchat, Yahoo!, Neiman Marcus, Michaels and most recently, Tesco in the UK and Sears in the US. In today’s cyber age, a company’s reputation – and the trust dynamic that exists amongst suppliers, customers and partners – has become a very real target for cybercriminals and hacktivists.
Driving Successful Executive Engagement
Effective management of information risk has never been more critical. Information risk management has been elevated to a board-level issue that should be given the same level of attention afforded to operational risk management and other established risk management practices. Organizations of all sizes are facing a wide range of challenges today, including the insatiable appetite for speed and agility, the growing importance of the full supply chain, and the mounting dependence on diverse technologies.
In many organizations, cyber opportunities and risks have already become a board-level issue, so the cyber security head needs to engage right up to the board of directors. Information strategy and risk should sit comfortably alongside other types of risks that the board already oversees. In order to balance risks vs. rewards, cyber security chiefs must drive engagement broadly across their organizations. To do this, they need to change the conversation so it will resonate with the leading decision-makers while also supporting the organization’s business objectives.
Creating Enterprise Cyber Resilience
Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from future cyber threats that cannot be predicted or prevented. Traditional risk management is insufficient to deal with the potential impacts from unforeseen activities in cyberspace. That’s why enterprise risk management must be extended to include organizational risk and cyber resilience – just ask Target and so many others.
To achieve this goal, I strongly recommended that your organization establish a crisis management plan which includes the implementation of a formal Cyber Resilience Team. This team, made up of experienced security professionals including employees, investors, customers and others, will become the driving force behind your cyber security initiatives. The Cyber Resilience Team will be charged with ensuring that necessary communication takes place between all relevant players, and making sure all facts are determined for each incident in order to put a comprehensive and collaborative recovery plan in place.
Today’s most successful, and cyber-resilient organizations, are appointing a coordinator, such as a Director of Cyber Security or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligations to establish cyber resilience programs that protect the organization’s assets and preserve shareholder value. Such efforts are especially important due to all the new legal aspects of doing business in cyberspace.