How does cyber-risk differ from other business risks?
Many people still plan for a cyber-attack in terms of traditional disaster planning. However, unlike when a natural disaster occurs which may affect just one location, a cyber-attack can instantly propagate through the network to compromise all systems and data including those found in disaster recovery sites. Additionally to cope with the financial impacts of a fire or flood a business will normally have insurance in place, yet only 14% of SMEs in the UK have cyber insurance.
Often conventional protections against physical disasters like loss of power, don’t work in the case of a cyber-attack. With traditional disasters you are dealing with a passive adversary, the risk is better understood and the threat is not likely to deviate. However with cyber-attacks, you are frequently dealing with an active adversary. For example, if a hacker gains control of a network, the threat may change and escalate as the attack progresses and new risks not previously identified emerge. Many businesses’ crisis planning hasn't evolved to consider the dynamic nature of cyber, nor the financial response.
An attack on critical systems
There’s also a lack of awareness of how critical IT systems have become to business. Whether large or small, for example, most office telephone systems are computer based, so organisations need to consider how they would communicate with colleagues, customers or suppliers in the event of an attack. As we increase our dependence on digital infrastructures and the internet, the impact when something goes wrong becomes more dramatic and far-reaching. For example how would you pay your staff if you do not have access to salary details and payment systems? And how long would they stay loyal without remuneration?
A strategic imperative
Cyber-security is not just a risk to be considered, however. Business strategy needs to take into account the cyber-threat because your overall threat profile can be controlled and to an extent is determined by the type of business you run, your customers and supplier base.
Where should responsibility lie for cyber risk?
Accountability for taking the threat seriously, understanding the potential impact of an attack, and creating a response and recovery plan, lies with senior management or the Board. The challenge for businesses is that the issue of cyber risk is no longer confined to the IT department or the domain of the Chief Information Security Officer. As we have seen, the threat cyber-attacks pose span across an organisation, so responsibility to prepare, respond and recover from a cyber-attack sits at a departmental and individual level.
As well as operational and financial planning, businesses need organisational resilience, which filters down from the top of an organisation but sees different individuals sharing responsibility within their disciplines.
If you leave the cyber challenge solely with the Chief Information Security Officer, they won’t necessarily have the skills and knowledge to advise what needs to be implemented in other parts of the business. For example in the finance department how would you manage the impacts on your short term liquidity and access to cash? Does the business have appropriate financial plans in place to cope with a cyber-attack?
Whilst there may be one person on the Board with overall accountability, the challenge is to get the right skills and information to every part of the business so cyber considerations are woven into everyday operations. Planning on that basis demonstrates a clear understanding of the risk and puts you in a better position to manage it.