We are living in a period of unprecedented technological change. While those changes have brought many benefits, building resilience to these changes is becoming increasingly imperative.
To become more resilient in this age of continued digital disruption increasingly means understanding the full scope of cyber governance responsibilities. This means starting with a top-down approach in managing risk at the board and executive level.
According to Edward Stroz, co-president of the global investigations, intelligence and risk management firm Stroz Friedberg (an Aon company), organisations should definitely not just think of cyber as an IT issue. Speaking at the Aon’s Advanced Risk Conference 2018 in Melbourne, Stroz said that while cyber-attacks often sought to steal information or disrupt operations, in many instances what is classed as a cyber threat was just traditional fraud executed through technology channels. Typically this came in the form of a criminal calling a help desk and persuading a staff member to perform a task on their behalf, or hacking into an email system to impersonate an executive. While the effects may be considered as ‘cyber’, the root cause of the analysis was to trick a human being.
“That is fraudulent action based on somebody being misled, even though it was made possible by some element of a cyber compromise,” Stroz said. “The dollar losses that the FBI estimates are happening in this area are in excess of US$15 billion related to business email compromise.”
Stroz said when thinking of risk transfer, it was important not to think about the risk inherent in the device itself, which might only cost $1500, but to consider the overall risk once it is plugged in to a network, which could be enormous.
And even when there might be little conceivable reason why a company would be attacked directly, Stroz said it could still become a victim, as criminals had turned their attention to infiltrating their targets by compromising the systems of trusted partners – something he recently saw occur to an architectural firm where criminals were targeting the firms’ clients.
“You have to understand the risks your organisation might be exposed to, not just as the target, but as the victim, and you have to see it as an enterprise-wide risk to be managed,” he said.
Organisations should consider how much risk they could afford to be exposed to, and what investment they were willing to make to protect themselves. At that point they should then consider adopting a robust risk framework, such as that set out by the US National Institute of Standard and Technology (NIST), which made recommendations for how an organisation might be organised to prevent, detect, identify, respond and recover from cyber incidents. A framework is then used to guide managerial judgments using a risk-based set of priorities.
Stroz also suggested that company directors often needed help with this issue, as it post-dated much of their working lives, and recommended bringing cyber expertise into the board, either directly or through an adviser. The issues should be presented and managed in a jargon-free clear lexicon that allows the seasoned judgment of board members to engage.
“You have to see and treat cyber security as an enterprise risk management phenomenon, not an IT phenomenon,” Stroz said. “The territory you are in for managing this has legal implications for your company.”
“If you suffer a cyber incident, there is a good chance you will be sued, or the regulator will come after you. You’re going to need a lawyer, and the lawyer is going to need to settle these issues around legal concepts, not technical ones. And they will need evidence to back up their representations.”
Navigating through complexity
Addressing the new world order of cyber threats can be a complex task – but is doable. It encompasses a broad range of risks with the potential to harm assets, from property to brand and reputation.
As with everything, a holistic understanding of the challenges and a holistic application of the right solutions will be essential in building a resilient company that can meet the demands of a rapidly changing cyber landscape.