Cyber resilience is a choice - one that should be made now

WHEN choosing an office or factory location for a business, risk managers typically look at whether it is structurally sound, fire-resistant, protected from flooding and whether it has the right level of security. In today's increasingly connected digital business world, a further layer of scrutiny is required to ensure that a company's operations are sufficiently resilient. That layer is cyber.

This is an increasingly business-critical requirement, given the evolving threat landscape punctuated by global cyber threats. If cyber-loss prevention wasn't yet at the top on the executive boardroom's collective mind, the recent spate of cyber attacks across the Asia-Pacific will have changed that for good.

Almost every business relies on digital connectivity, and this transcends geographic and physical boundaries. Research by the Washington-based Centre for Strategic and International Studies, which has tracked all major publicly-reported cyber attacks on government agencies, defence and high-tech companies since 2006, estimates that computer security breaches cost the world US$600 billion last year. This is approximately 0.8 per cent of the global economy, or roughly the combined GDPs of Malaysia and Singapore. A cyber attack is thus not only a reputational liability, but a financially costly one.

The likelihood of a cyber attack on a business is no longer a question of if, but a matter of when. No organisation is invincible, as the recent data breach of Cathay Pacific Airways' 9.4 million passengers' accounts and the hack into SingHealth 1.5 million patients' records in Singapore show. Cyber attacks today are global and will only increase in frequency and severity. Cyber risk is no longer just the concern of online retailers. Any company that connects to the Internet is exposed to increasingly global cyber threats.

The key: preparation, preparation, preparation.

In order for companies to secure their operations, they need to establish and maintain a level of resilience. To get there, a few things need to happen.

Firstly, it takes a mindset shift. Tackling cyber risk can't be an afterthought and cyber hygiene can't just be the responsibility of the IT team. Cyber security is and must be a company-wide issue. There needs to be appropriate training of employees to understand the vulnerabilities, a commitment to downloading the latest security software and patches, as well as implementing security procedures that stop external personnel having access to sensitive areas such as network or operations rooms. All these are behavioural changes that will hugely improve cyber resilience.

Secondly, we must move away from the thinking that cyber risk is only a technology issue. It is an enterprise risk and so, it is important to reframe the approach towards its management. The challenge in mitigating the enterprise risk is in strengthening the connection between risk management and cyber security. Organisations should engage their enterprise risk management team as well as their IT departments to develop and implement strategies to manage their risk scenarios.

Thirdly, since cyber attacks can dramatically affect a company's bottom line and its market reputation, it demands a board-level conversation that includes the risk manager to encourage proactive, strategic decision-making.

Ultimately, having the right infrastructure and systems in place to facilitate a quick recovery is essential. It is vital that you have cyber security and IT experts on speed dial, as well as have robust business continuity plans and standardised procedures should an attack take place.

Many cyber solutions offer tools to thwart attacks, but many also do not address the nagging reality - what happens when you get attacked and how do you fix the post-attack damage to quickly recover?

Establishing and maintaining business resilience includes putting in place the right level of cyber coverage to insure virtual networks and technology systems. To do this, companies should treat data as they would any other property or business-critical physical function - with cyber coverage integrated as part of a business' total coverage. This approach factors in the importance of business continuity and recognises that the business' ability to pick up the pieces and continue operations as quickly as possible are key.

The day when a foreign entity is able to take over your business as part of a coordinated cyber attack is no longer science fiction. That day has arrived, so our attention needs to turn to combating the inevitable and applying approaches to restore and effectively recover.

The way we think about cyber loss prevention should be no different than how we think about other risks facing a company. We should view all loss as preventable, including those experienced through cyber attacks. In the same way that we equip the business leaders to manage more traditional threats from fire or natural hazards, the increasing prevalence and frequency of cyber-crime means that it is now critical that companies build a cyber shield for themselves by adopting a similar proactive defensive strategy against cyber criminals. Cyber resilience is a choice. The sooner a company starts assessing and prioritising its cyber defence systems, the more agile it will be in responding to the inevitable cyber attack.