Executive Leadership: It’s time to make cyber resiliency YOUR next priority

Posted in: Commercial Insurance

You’ve probably read about major cybersecurity failures of large organizations, such as Yahoo, Sony, LinkedIn, Target, the Democratic National Committee, and the list goes on. While they’re not always in the headlines, evidence shows that small and medium-sized organizations are increasingly becoming the targets of cyber criminals and malicious actors. According to the most recent Internet Security Threat Report that was published in 2016 by Symantec, 65 percent of all spear-phishing attacks target small and medium-sized organizations.

Cyber threats and vulnerabilities are no longer something novel that impact a minority of organizations — because for most companies today, not using technology isn’t an option. The creative use of new technology is necessary to help increase productivity, enable engagement and collaboration, as well as achieve the mission of most organizations. However, cybersecurity is not a zero-sum game, and we are not yet able to completely separate the risks from the benefits of using technology, which provides opportunities for malicious actors to wreak havoc.

Organizations that take proactive steps to seek Enterprise Cyber Risk Resiliency will reap the benefits of technology and succeed. Those that fail to evolve with the threats will struggle. This is the new reality.

An organizational priority

In this new reality, success in cybersecurity for many organizations requires a complete mind-shift. It’s no longer a singular focus on trying to build an impenetrable technology-only layered defense. Businesses that will thrive will need to achieve Enterprise Risk Resiliency. This transition assumes that cyber incidents and data breaches will happen, so cybersecurity activities are enhanced to include both the traditional perimeter defense controls as well as holistic strategies that help the organization absorb the impact of a cyber event, continue operations and recover. Enterprise Risk Resiliency does not happen all at once; it is an incremental and ongoing process that requires planning and preparation, and is different for every organization.

Now a leadership priority

Since technology is integrated throughout most organizations and operational vulnerabilities are rising, cybersecurity requires the active involvement from all stakeholders — leadership and all employees, not just IT. However, making this shift can be a challenge for leaders without a strong cybersecurity background. Due to the lack of familiarity with the topic, they can be hesitant to engage in cybersecurity and educate their employees about risk awareness, which continues to leave cybersecurity an isolated task for the IT team. The problem with this approach is that it often by default makes cybersecurity a technical task that may not align with the strategic vision of the organization or integrate with business continuity management and disaster recovery strategies.

Start with awareness

The good news is that leaders do not need to become cybersecurity experts to engage in Enterprise Risk Resiliency planning for their organization. Leaders who monitor the cyber threat landscape by tapping into trusted information sources (such a news aggregator like the CyberWire) will begin to build a frame of reference they can use to help make decisions related to Enterprise Risk Resiliency.

In addition to monitoring the external threat landscape, it is also beneficial for the leadership team to receive regular briefings from internal IT and security staff about potential threats and vulnerabilities. Companies should also make sure to inform their employees of cybersecurity risks. In some cases, the technology may be secure from a technical perspective, but an employee may make a simple mistake, like losing a device, sending confidential files to the wrong email address, or falling for a phishing email. Simple human error is one of the greatest vulnerabilities in businesses — so it is essential that companies arm their employees with the knowledge and tools to avoid these risks.

Follow with action

Awareness of the cyber threat landscape is necessary for leadership, but it is only useful if it is tied to action.

Cybersecurity is comprised of many moving parts that involve technical, workforce and process components. Instead of diving head-first down one path or another, start with some initial planning and a review of your current infrastructure, systems, applications and assets. This initial cyber risk review can help with the planning process, especially if you intend to hire consultants to conduct full cyber risk and vulnerability assessments. It can also help you prioritize other activities and establish incremental cyber- and technology-related organizational goals in a meaningful yet realistic way to begin the process.

Over the course of our upcoming four-part series, I will explain in further detail how to start down the path toward Enterprise Risk Resiliency. I will provide an overview of the cyber threat landscape, offer guidance on how organizations can begin the cyber risk review process, and share information about cyber insurance and how it can serve as a backstop to enhance your proactive cyber risk management strategies. With this information, organizations can begin taking proactive steps to seek Enterprise Risk Resiliency and create the building blocks for success in the new cyber age.

If you have questions about how to increase your organization’s cyber resiliency, contact acramer@psafinancial.com.