How can businesses protect against cyber risk?
Individual perspectives and skills within your business can support a culture shift that strengthens cyber risk management.
When it comes to managing the risks that come with reliance on technology, the conversation often focuses on tech-based solutions while overlooking the role that people play in creating cyber risks—and, on the flip side, protecting against cyber risk. It’s recognizing the collective power of individuals to protect an organization that can drive a culture shift in cyber resilience.
“There is a lot of focus on data security, and rightly so, but the risks around cyber go far beyond that,” says the chief risk officer of a global energy company. “Cyber disruptions aren’t caused solely by hackers. People who often mean no harm—and it’s not just employees, it can be contractors and even customers—are part of what makes up cyber risk. But if they are committed to the success of the business and we arm them with the right knowledge and processes, we’re starting to see that they can play a big part in creating a culture of cyber risk awareness by encouraging others.”
You should never assume that things that don’t fall under your normal remit are someone else’s responsibility, because maybe everyone else thinks the same thing. And in those cases, it often falls to someone who isn’t qualified to deal with all of the issues surrounding data privacy.”
Business leaders have to up their game as well. According to the Ernst & Young 2014 Global Information Security Survey, fewer than 20 percent of organizations have real-time insight on cyber risks readily available, and 53 percent indicate that cyber security tasks are generally not adequately resourced or performed by skilled people.
“Lack of executive buy-in and board oversight could cause a company to miss the necessary focus and fail to make the required investment,” says Ruby Sharma, a Principal at Ernst & Young LLP and with the EY Center for Board Matters. “It is the board’s responsibility to challenge management so that management is appropriately allocating resources to address cyber risks that are commensurate with the risk levels. Given that technology transcends and impacts all departments and corporate structures, boards should address whether management’s cyber security plan has a cross-functional team involving business leaders of all key departments.”
Thinking beyond defined responsibilities
A tenet of managing all interconnected risks is that business units should work together, not in silos. Encouraging the same type of initiative on an individual level can help people see first-hand the role they can play in managing cyber risks. Zurich’s Jérôme Gossé, Head of Security & Privacy Global Corporate in EMEA, says there are ample opportunities for people to have aha! moments regarding cyber risks“At a recent meeting with a manufacturer that supplies major energy infrastructure entities, we were discussing and assessing their risks around data privacy, trade secrets and intellectual property,” says Gossé. “At the table was the data privacy officer, whose duties include managing the confidentiality of employee data. When I asked how they managed confidential customer data—some of it extremely sensitive—he responded: ‘That is not part of my responsibility.’ That’s a moment when someone should realize they could make a difference. If you know it’s not your responsibility, then whose is it? You should never assume that things that don’t fall under your normal remit are someone else’s responsibility, because maybe everyone else thinks the same thing. And in those cases, it often falls to someone who isn’t qualified to deal with all of the issues surrounding data privacy. On the other hand, if you follow up to see whose responsibility it is, and you discover no one is covering it, then you’ve identified a cyber risk and can alert the right people.”
Right now, the emerging nature of cyber risk is that it’s becoming systemic—as were the risks that led to the credit crisis.”
In his work, Gossé has noted that you can’t judge how well a company manages cyber risks based on its size, sector or location. But there are telltale signs of the level of engagement among employees, and thus the likelihood that they’ll be proactive in managing cyber risks. “The culture within an organization becomes apparent very quickly,” he says. “The first thing we look at in our underwriting process is whether or not management really gets cyber risk. Are they genuinely involved? Are they aware of incidents on short notice? Or do they just let the IT department handle it alone? If you can tell management isn’t engaged, you can expect that employees won’t be either—and that’s where most cyber risk negligence occurs.”
Influencers who make a difference
An enterprise approach to managing cyber risks spreads the net of inclusion to embrace new ideas that might otherwise not be in the picture, says Tim Stapleton, Global Underwriting Manager, Professional & Management Liability, Zurich, and that helps reinforce the priority throughout the company. “You need a number of functions involved in the process, and when that happens different talent starts to take notice, from the CEO all the way down to the front line employee,” says Stapleton. “It is a combination of large and small taking an active role in working on behalf of corporate information security, not just the IT portion. It takes a broader approach to help reinforce the priority throughout a company.”A recent Ponemon Institute study indicated that board level involvement in cyber risk management helps reduce the costs of cyber breaches. The reason? Cyber security is not just an IT issue—it is also a management issue. The weakest link is often people and awareness of cyber risk. Creating that awareness starts with basic data privacy and security; identifying data owners, classifying data with the appropriate security classification and then treating that data with the appropriate level of security. All employees must be aware of the different approaches cyber attackers deploy such as phishing attacks, which dupe employees to download malware, and know what do to avoid systems being compromised.
A fresh perspective
The all-for-one, one-for-all approach to cyber risk management also helps protect against another risk: placing the burden of cyber risk management on technical experts, which is “a pitfall,” says John Scott, Chief Risk Officer, Global Corporate, Zurich. “It’s important to understand that this is about people and behaviors, not just technology.”“In the years after the 2008 financial crisis it was popular to say that it was due to a failure in risk management. But there were more than enough risk managers in the key financial institutions involved, and they were all doing a very careful job and looking at the specific risk position of financial products and portfolios. What they weren’t looking at was the bigger picture, and realizing that an unsustainable level of credit risk was building up across the financial system. Right now, the emerging nature of cyber risk is that it’s becoming systemic—as were the risks that led to the credit crisis. That is being driven by a number of trends including the Internet of Everything and BYOD [bring your own device], which create more entry points that are vulnerable to attack; and cloud computing, where server farms are often co-located or connected in a way that creates systemic risk. A successful cyber attack on a key cloud provider could take down many businesses in many locations using that service. All of that together changes the nature of risk, and is as good a reason as you need to realize that the cyber risk management discussion needs to start at the board level.”
Key takeaways
- The collective power of individuals to protect an organization can drive a culture shift in cyber resilience.
- It’s the board’s responsibility to challenge management to understand the strategic and systemic nature of an organization’s cyber risk vulnerability and properly allocate resources for cyber risk management.
- Everyone in an organization should understand and assume responsibility for cyber risk management.
- Cyber security is not just an IT issue—it is a management issue. Having different business functions involved in cyber risk management brings to light the important role that people play in protecting against cyber risks. It’s not all about technology.
This article is published in collaboration with Zurich Knowledge Hub. Publication does not imply endorsement of views by the World Economic Forum.
To keep up with the Agenda subscribe to our weekly newsletter.
Authors: John Scott is a Chief Risk Officer of Global Corporate. Tim Stapleton is a Global Underwriting Manager, Professional & Management Liability at Zurich General Insurance. Jérôme Gossé is the Head of Security & Privacy, Global Corporate EMEA.
Image: A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.