Building resilience within an organisation is crucial to heading off the cyber threat – but it is a more complex task than ever.
The increasing use of smart devices, the Internet of Things (IoT) and Artificial Intelligence (AI) technology means that the ‘attack surface’ for cyber-criminals is constantly expanding. The number of IoT devices installed worldwide is expected to exceed 75 billion by 2025.1
Against this intricate backdrop, organisations need to rethink what ‘cyber resilience’ means, and how they can give themselves the best chance of fending off an attack – or effectively dealing with the fallout if an attack succeeds.
Four steps to cyber resilience
1. Take it from the top
Cyber risk management has to be an enterprise-wide effort, but clear accountability at the top of the organisation is also crucial. Boards need to understand the costs and consequences of a cyber-attack on their global organisation.
Yet, for many organisations, this knowledge is not easily attainable. “It is still surprising that some companies don’t fully understand the impact of various different cyber-attacks on their business,” says Onno Janssen, CEO Risk Consulting & Cyber Solutions EMEA at Aon. “There needs to be a deeper understanding of what the worst-case scenarios could be in terms of the financial impact on the business. This insight is crucial in order to develop an effective cyber resilience strategy,” he adds.
“Ultimate responsibility for all risk management efforts resides in the boardroom,” says Deborah Pretty, Founding Director at Pentland Analytics. “That’s where the buck stops.”
2. Unite the business
A cyber-attack has implications for the whole business, so it can no longer be viewed as just an IT issue. It calls for a multi-discipline, multi-level response that involves every relevant stakeholder within the business.
Instead, they need to shift their mindset from viewing cyber-incidents as an IT risk to seeing them as a business risk, where the business defines the risk appetite. If the worst does happen, getting the right people – Risk, IT, board members, Legal, Compliance and HR – around the table for strategic risk discussions will ensure a robust and integrated response.
One key feature of a cyber-resilient organisation is clear dialogue between the Risk and Security functions. As the two functions do not work with one another on a day-to-day basis, they will need to work on building a natural dialogue. This is crucial if they are to have any hope of putting together a risk transfer initiative or an insurance policy, for example, that is both appropriate and proportionate.
3. Improve your response time
“You don't want to put a team together on the day of the match. Preparing for an incident is an extremely important part and it should be a multi-discipline and multi-level focus to make enterprises ready for handling cyber-incidents.” Onno Janssen, CEO Risk Consulting & Cyber Solutions EMEA at Aon
Incident-response training is critical in preparing organisations for a cyber-attack. Scenario-planning helps them to understand their operational vulnerabilities and the threats they are exposed to.
Once it has made an honest assessment, an enterprise can make contingency plans. And once the cyber response plan is in place, it has to be tested. Having executive teams and boards practise simulations of potential cyber-attacks equips them to respond quickly when the real thing happens. The goal of the simulation is to test for flaws in the response plan and improve response capabilities.
4. Protect your balance sheet
A cyber-incident, regardless of its form or whether it makes headline news, holds the potential to seriously dent an organisation’s balance sheet. The recent introduction of GDPR fines for non-compliance – which carry a maximum penalty of €20 million or 4% of an organisation’s annual global turnover, whichever is higher – has created a sense of urgency among European firms to put appropriate cyber controls in place.2
While cyber insurance may protect an organisation’s balance sheet by providing a financial pay-out after things have gone wrong, it may also offer expert consultancy to improve security and on-the-ground incident response support during the period of crisis.
Standalone cyber insurance typically not only provides coverage for legal costs and damages from claims alleging a privacy breach or network security failure, but also for the potentially more costly business interruption losses and increased working costs following a cyber-incident. A key benefit of cyber insurance is pre-loss prevention and post-loss services, which help organisations to recover more quickly post-attack.
The standalone cyber insurance market is evolving in terms of both its capacity to underwrite cyber risk and the scope of its coverage. “There is over $1 billion in theoretical capacity available in the standalone cyber insurance marketplace. Yet this increase in capacity is often not considered relevant by large corporates used to buying limits over $2 billion in the property programme,” says Vanessa Leemans, Chief Commercial Officer, Cyber Solutions EMEA at Aon.
New thinking
The C-suite should not be tempted to think it has produced a cyber-resilient organisation simply by investing in expensive security software; true resilience goes far beyond cyber defence.
It should be driven by a clear chain of command, originating at board level, and involving extensive preparation – including incident response training – by the entire organisation.
1‘Internet of Thing (IoT) connected devices installed from 2015 to 2025 (billions), Statista, 2019
2Is cyber risk a D&O risk?, Ethical boardroom, 2017