Ignorance is no defence against cyber risk
In the report Locked Down, a Legal Week Benchmark survey, it says there has been a change in 'atmosphere' around Cyber over the past 18 months, but I really do wonder if this will actually translate into action ... this time.
It does sometimes baffle me that much of the emphasis of the media is on hacker attacks and not the broader issue of Cyber Risk and its importance in the overall resilience of an organization. If you are properly assessing the risks within a business or organization, then what should happen is that you have a clear understanding and priority laid out that steers your planning. Given that most of our organizations now really do rely on our IT and cyber infrastructures to operate its almost unthinkable that a Risk Assessment would not have identify this as a critical area for action and management. It is really odd then that report after report continues to make to the same point time after time ... Why is this?
Well my take on this is that it's mostly down to an absence of credible and relevant information on the risks and associated costs. I see it all the time, senior executives constantly underestimate the risk and the impact (and benefits by the way), while at the same time overestimate the costs of fixing the situation - or at least don't optimize their spending. The most common reason for this is the failure to quantify risk, exposure and costs thoroughly enough across the business.
"Only 26% of wider business and 9% in the legal sector have assessed the potential costs"Locked Down Report... so three quarters don't know the potential impact of the (cyber) risks they have embedded in the business.
At the most basic of levels I am really not sure that this situation meets the reasonable expectation of diligence and care one should expect of a board, especially when the media is so hot on the issue and business increasingly expects basic standards of security to be not just met, but exceeded.
The first step to really creating resilience in your business is understanding the risks in your business. If you aren't doing your Business Impact Analysis and Risk Assessments properly just how are you informing your decisions? Are you spending your money in the right areas and are you getting value? Are you really getting the right information to make good decisions or are you just hoping for the best?
I am not saying that you should be risk adverse, but rather 'Risk Educated'. Understand what and where the exposures are in your organization and take sensible measures to protect yourself and your stakeholders.
You might also like ...
When we started CRIF last year, US based publications [insurance and infosec] asked how CRIF could help a North American cyber liability market that was already 7-8 yrs old.
I made the point that the US market is very much led by third-party policies [as defined in the UK] and that first / third party would predicate better risk management.