The Relevance of Cybersecurity Risk Management
The majority of enterprises nowadays rely on information technology as an essential tool for meeting their business objectives as well as safeguarding their intellectual property, financial information and the Company’s reputation, amongst others. Concurrently, critical digital assets are being targeted and the potential impacting businesses has never been greater.
In order to adequately protect the organisation from threats that might impinge on future cash flows and shareholder value, the Company’s approach to cybersecurity must keep pace with the on-going developments and updates taking place within this subject-matter since, “The cost of failure to deal with cyber risk and failure to comply with [regulations] is great.” (Harroks, 2013).
Following a recent research carried out in association with the Federation of European Risk Management Associations (FERMA) by Harvard Business Review Analytic Services, corporate insurer Zurich and the public sector risk management organisation PRIMO, it is apparent that most companies overlook the importance of cyber risk management, notwithstanding the increase in frequency, scope and sophistication of such possible attacks which may lead to the potential loss of sensitive data as well as impact the company’s bottom line.
To this effect, FERMA Board Member Julia Graham, who led FERMA’s participation in the web-based survey, noted that often, well-embedded principles and practices associated with risk management and risk financing tend to be discarded when the subjects of information security, and specifically cybersecurity, are being considered.
Many companies have adopted a head-in-the-sand approach when it comes to safeguarding their information systems, since they believe that nothing can go wrong. This is no longer a viable option due to the fact that making a conscious decision to ‘do nothing’ to protect company assets, especially data and information, is a very dangerous strategy in the current climate (Jolly, 2005).
Last year, the Maltese police cybercrime unit have investigated around 576 complaints, the majority of which related to computer misuse such as hacking and fraud (Times of Malta, 2013).
When an organisation is planning to launch its e-business, security must be its prime concern in order to identify and avoid the various risks it may encounter or be prone to. Thus, it is beneficial for the organisation to have the necessary policies and procedures in place in order to safeguard its position.
In view of the fact that information security is deemed to be a classic enterprise risk, it must not solely lie within the Chief Information Officer’s or the Chief Information Security Officer’s respective remit, but rather be considered across the whole organisation in order to adequately cater for and be prepared to combat cyber threats as these emerge.
Many Information Technology professionals affirm that the greatest challenges in improving cybersecurity practices are in promptly seeking to obtain accurate information about the organisation’s systems needing protection as well as visibility into current deployments including the capabilities and techniques of adversaries seeking to compromise critical infrastructure.
During the Federal Information Systems Security Educators’ Association (FISSEA) presentation addressing ‘Empowering Our Organizational Culture to Meet Today’s Cybersecurity Challenges’, Suess noted that: “Cybersecurity has often been viewed as an IT initiative and is often focused narrowly on a small percentage of the individuals in an organization. As new threats emerge, such as social engineering, to broadly target individuals we need new approaches to address the challenge of cybersecurity.” (Suess, 2013).
Ideally, management should spearhead a process in which it encourages the need for an approach that considers cybersecurity holistically and forecasts a plan encompassing technology and new business processes including enhanced communication and education amongst its employees. Suess outlines further that, “This approach requires leadership commitment to a long-term strategy for change management and organizational development around cybersecurity.” (Suess, 2013).
Developments in this area
A global problem requires a global solution, since the annual worldwide cost of cybercrime is estimated to amount to over €750 billion, including but not limited to, “wasted time, lost business opportunities and the expense of fixing problems” (European Commission, 2013).
Economic security organisation, Scottish Business Resilience Centre, noted that, “the increasing use of unsecured WiFi networks, online banking and cloud computing is putting companies at risk”, resulting in cybercrime costing Scottish businesses GBP 5 billion per year (The Paypers, 2013).
In the light of emerging technologies and subsequent threats, in February 2013, the European Commission launched a Cyber Security Strategy and Proposal for a Directive so as to encourage an open, safe and secure cyberspace; possibly to devise a framework outlining best practice policies and procedures.
This proposal is a result of the Commission’s support towards research in relation to cybersecurity, particularly due to the fact that given that this growing problem is effecting numerous organisations.
Moreover, locally both the Malta Information Technology Agency (MITA) and the Malta Communications Authority are drafting a National ICT strategy for the coming years in order to “ensure that the security of technology infrastructure as well as cybercrime will be a priority” (Times of Malta, 2013).
The Role Cybersecurity Risk Management
Organisations must therefore mould their organisational strategy to include the roles and responsibilities for producing policies and procedures, communications, security technology design, and implementation approaches, whilst ensuring that services are evaluated and categorised from a cybersecurity risk perspective. These processes ensure that business services deemed crucial to an institution’s ability to operate receive a higher level of scrutiny.
The overarching issue lies in the fact that there is an: “insufficient level of protection against network and information security incidents, risks and threats across the EU undermining the proper functioning of the Internal market.” (European Commission, 2013).
The main drivers responsible for such concern mainly relate to the uneven level of capabilities at national level across the EU, as well as the “insufficient sharing of information on incident risks and threats” (European Commission, 2013).
Looking ahead into the future
A European framework to manage cybersecurity risk would set the right foundations to secure a level playing field, establishing a common framework with key risk and performance indicators to accurately understand cyber risk; subsequently, coupled with a local strategy to combat cyber-crime would prove to be beneficial for the various companies, particularly those investing in eCommerce.
Whereas one generally encounters a ‘top-down approach’ when considering a typical local service provider’s IT Strategy, management enforces certain policies and procedures for the employees to abide by and comply with. This however, rarely addresses Cybersecurity and its associated risks, nonetheless seeking to perform to the highest level of confidentiality and professionalism. This approach generally emerges from Management’s oblivion towards the importance that should be given to such risks, or rather prioritising other more tangible issues that are deemed to be of higher relevance in its Enterprise Risk Management framework, and hence not quite addressing this specific risk notwithstanding it being on the Company’s agenda.
Companies have a tendency of vesting all IT-related matters into one duly qualified person’s job role, moreover encouraging the individual to pursue their studies further and keep abreast with emerging technology. However, Management often end-up having to outsource certain functions for which the required knowledge and expertise would have to be sought from external competent entities and/or individuals. Such an approach must mirror the Organisation’s strategy in ensuring that when decisions are taken, the Company will stand to benefit from third-party support.
Hence a need for cohesion amongst the various departments within the organisation is fundamental to ensuring that the whole organisation ‘pulls the same rope’, by adopting good practice standards, policies and procedures within the pre-set regulatory framework(s), sharing and collaborating through innovative and efficient ways of carrying out the respective duties.
In appreciating the benefits gained and the value achieved in embracing the need for Cybersecurity risk management, in conjunction with other risks the Company may be exposed to, will provide the respective organisations with the necessary configuration and robust framework to face such risks. Only then will the Company acknowledge its external as well as internal vulnerabilities fully and mitigate them accordingly, so as to avoid any potential breaches and losses including disrepute.
Hence, since the prospects within this subject-area are plentiful, although organisations might eventually embark on a pro-active approach towards addressing a tailor-made cybersecurity risk management approach, the proposal for an EU Directive will certainly guide the respective parties concerned in the right direction; possibly providing a structured approach towards addressing such risks.
Moreover, it would be advisable for Malta to update local legislation and cater for Cybersecurity risk, particularly in order to indicate what is and is not permissible and the respective repercussions, including legal penalties.
Finally, as Companies become more heavily IT-dependent and increase their awareness on the risks they are prone to, they must re-evaluate their forecasts and budgets so as to cater for their IT investment. This would ideally include a risk assessment, including mitigation techniques, for the company to address innovative fields such as cybersecurity. Security has become a business issue rather than a technical one, and today’s digital economy organisations’ must realise that their greatest challenge is that no chain is stronger than their weakest link.