You are here
Building agility and resilience with digital risk management
IT'S no longer a case of if, but when, a company will face a cyber attack. What makes a digital risk management strategy effective, and can hackers be part of the equation?
In 2018, the Singapore Ministry of Defence (Mindef) conducted the first-ever bug bounty by a Singapore government agency.
It invited some 300 ethical hackers from around the world to penetrate the government agency's Internet facing system for vulnerabilities in return for rewards (or bounties). The bug bounty programme received a total of 97 vulnerability reports, of which 35 were assessed to be valid security vulnerabilities.
The exercise gave Mindef the opportunity to identify previously unknown gaps and patched the vulnerabilities effectively.
With the Internet of Things, collaborating with ethical hackers - or white hat hackers - has become a common practice among larger multinational organisations in testing the security posture of their systems and resilience against known vulnerabilities and application logic flaws.
White hat hackers do so by replicating the typical tactics, techniques and procedures that a malicious hacker would utilise to proactively identify security flaws that need to be fixed.
However, beyond tactical engagements like working with white hat hackers, organisations must fundamentally adopt a holistic vulnerability management programme that prioritises risk exposure and treatment plans of all the digital assets and relationships that the organisation owns.
A holistic approach to risk management
The EY Global Information Security Survey 2018-19 revealed that 38 per cent of the surveyed corporates would be unlikely to detect a sophisticated breach, despite 53 per cent having seen an increase in their cybersecurity budget in the current year.
With the increased online presence and interconnectivity of systems and networks today, the likelihood of companies - whether large multinational corporates or small-and-medium enterprises - falling victim to a successful cyber attack is near certainty.
Managing these risks requires companies to leverage a combination of strategic elements, including identifying and prioritising risks; protecting the enterprise; monitoring and predicting cyber threats; being prepared to respond to a cyber incident, recover and revert to normal operations.
Such a strategic approach is consistent regardless of the size of the organisation. What differs is the level of resources, including finances, time and competencies, that the organisation can devote to each element of digital risk management strategy.
Intuitively, larger organisations are better equipped to invest more resources than smaller ones.
Given the increased focus on cybersecurity and risk management, there is an increasing trend for larger organisations to move their digital risk management and cybersecurity function outside of the technology and operations function, and to have direct reporting to top-level management.
This elevates the importance of the function and the significance of the issues at hand - cybersecurity and risk management is a business issue and not just an IT problem.
Smaller organisations that do not have extensive resources can still build an effective digital risk management strategy by focusing on three key steps.
The first step that organisations should undertake is to review their existing processes and digital setup, and identify opportunities to reduce the surface area of exposure.
The next step is define a risk appetite and criteria to shift some technology operations (for example, infrastructure or applications in the cloud, managed operations or security services) to leverage deeper competencies, larger scale, and more dedicated resources to protect the digital assets.
Third, organisations should look into investing in technology solutions that automates the process of monitoring and managing the digital assets with the highest risk exposure or impact to the organisation.
Aside from these three steps, organisations also need to prepare the incident response plan in advanced, and practise it to make sure the stakeholders are familiar with their responsibilities and find opportunities to enhance the plan further.
People at the centre of cyber resilience
Arguably, the most important first line of defence is a strong and healthy risk culture in the organisation.
The abovementioned survey found that 34 per cent of organisations see careless and unaware employees as the biggest vulnerability, and 42 per cent of the top cyber threats relate to phishing and malware attacks targeting this group of users.
A healthy risk culture can help to reduce costly implications from cyber incidences.
Concurrently, organisations need to strengthen the digital access controls used by employees and vendors for internal and external systems.
Access control is a foundational element of any information security programme and helps to protect confidential information, such as customer data.
Having strong digital access controls - with the right policies and technology - can help to minimise the risk of unauthorised access to physical and logical systems.
Lastly, organisations should review both the processes and technology setup to identify and minimise single points-of-failures.
While this is typically viewed from a technical perspective, it is also important to make sure that processes are sufficiently robust to avoid the situation where necessary escalations are suppressed by individuals in the organisation.
The frequency and scale of the security breaches around the world show that too many organisations have done too little.
Cyber threats may - and will - continue to be on the rise, and it is the organisation's response that matters.
Clearly, an effective digital risk management programme requires a combination and integration of process, systems and people.
Organisations must embrace this new climate of digital risks, move ahead and fine-tune existing defences to optimise their security as they position themselves for growth.
Ultimately, if you are not in control of your digital risks, who is?
- The writer is Asean risk leader, at EY. The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.