You are here
Managing cyber threats effectively
TO effectively manage cyber attacks, companies must broaden their focus beyond just security and technology and develop a top management-driven, enterprise-wide playbook to deal with such threats.
Such a strategy requires the board and management to take ownership of cyber risk, and be willing to commit the resources required to address it. Failure to do so could result in damage to a firm's bottom line, reputation, brand and intellectual property.
Despite the widespread impact of such attacks, many companies still place the responsibility for managing cyber threats solely in the hands of their technology departments. According to experts, these threats are dynamic and sophisticated, yet traditional approaches to security are still too narrow and flat-footed.
"Managing cyber risk is a fundamental part of business management and business leaders need to see cyber threats for what they are - enterprise risk management issues that severely impact their business objectives," said Vincent Loy, financial crime & cyber leader partner at PwC. "Cyber risks should be treated like other serious business risk issues."
The rapid adoption of cloud computing and other digital tools for companies has led to more business operations being conducted online. This phenomenon provides immense opportunity for businesses to become more efficient by improving relationships with customer, suppliers and employees.
However, in seizing these opportunities, organisations become more vulnerable to an increasing number of evolving cyber threats. Indeed, any company that uses technology, whether its storage devices or emails, will be susceptible to an online attack.
A Singapore Business Federation survey conducted last year found that 30 per cent of local businesses had been subject to a cyber attack, with most taking about one to three days to recover.
Writing in a report titled Analytics and Cybersecurity: The shape of things to come - which is published by CPA Australia - Mr Loy argued that an appropriate cyber-risk management programme should be part of a company's IT governance process. Such a programme should cover the overall business-risk environment and feed into the firm's enterprise-risk management framework.
"Specifically, (the board and management) should collaborate upfront to understand how the organisation will defend against and respond to cyber risks, and what it will take to make their organisation cyber resilient," he said.
As cyber risks cannot be eliminated entirely, management needs to also determine what level of risk it is willing to accept, and then build its defences around those parameters.
"In order to effectively manage cyber risks, corporations should adopt a cyber-risk management programme that allows to plan for, and mitigate, cyber risks according to their appetite to withstand disruption and financial loss," explained Mr Loy.
Not one size fits all
However, there is no one optimal IT governance model. As such, key IT decisions, the level of involvement of stakeholders, governance structures, processes and policies will differ widely depending on the organisation.
With that in mind, governance arrangements need to be flexible enough to react quickly to cyber-risk management issues and a fast-changing external environment evolves.
In the report, Mr Loy cited the example of a Fortune 500 wealth management company that decided to implement extensive changes to its cyber-security approach after its clients' accounts were hacked.
Apart from conducting an extensive computer forensics investigation, the firm also established a cyber-risk governance team consisting of executives from business and IT, and developed a plan that included the necessary steps in adequately planning and preparing responses to cyber events.
After putting the plan in place, the company was able to enhance its ability to detect and respond to cyber fraud by implementing a series of significant changes in its use of technology. It also developed long-term, sustainable strategies to combat online fraud, including the development of an in-house incident-response process.
Mr Loy noted that adopting a well-thought out strategy can help organisations position themselves to gain a competitive advantage over their more vulnerable competitors that have opted to stick with the status quo.
"An effective programme is a pivotal part of the business model and will position the organisation to take greater advantage of future business opportunities as they arise," he said.