Companies risk tunnel vision when it comes to cyber security. It’s an important threat, and one that can’t be ignored, but on any given day companies need to respond to and evaluate a number of different risks and factors.
But by focusing too much on cyber security, are companies opening themselves up to other potential risks?
This is a pivotal question every senior executive needs to ask themselves and the lens through which GRC needs to be viewed.
Cyber-attacks and hacks have a high price tag for companies. As a result, today customer data is the largest commodity at risk for most companies. Loss of data can amount to billions of dollars of loss both in reputation and stock price.
For example, the recent financial implications of the TalkTalk hack included a one-off £40-45 million hit, and a £15 million impact on trading in the third quarter through to the end of December.
Additionally, the Bank of England’s Systemic Risk survey respondents highlighted cyber risk as a key concern, with 46% in the second half of 2015 worried about an attack- up from 30% in the first half of the year, and just 10% in the last six months of 2014.
However, it is not just banks and telcos affected by this issue but the wider business community as a whole. The UK government’s research into cyber security and its impact on businesses found that 90% of large companies have suffered an information security breach and that the average cost of the most severe breaches reached £1.46 million in 2015, up from £600,000 in 2014.
Small and medium-sized businesses reported a similar rise in the cost of cyber-attacks, with some of the worst reaching as high as £310,800, up from £115,000 the previous year.
Tunnel vision
While highlighting cyber risk is important, a holistic view of the business is needed to ensure that the right judgement calls are being made. Focusing too much on a particular area, such as cyber-attacks, could expose companies to other risks and threats.
It’s important for management to take a holistic view to its risk profile – or the aggregation of the entire portfolio of risks.
For instance, companies could potentially take on increased risk in the creation of new products or services. This includes the adoption of new technologies, new processes, changes in sales tactics, entry into new markets, and focusing on a new customer segment.
Additionally, risk rarely occurs independent of other effects on the business. For example, a cyber-attack may target the organisation’s technology assets, but the implication on other parts of the value chain shouldn’t be overlooked.
This includes the actions or inactions of employees, the effects on up and down stream processes, vendor and third party ramifications, violation of laws and regulations, and adverse customer affects.
Of course it is challenging to mitigate all these effects as resources and capital is often limited. Understanding the universe of risks and their criticality on business objectives and goals assures that there is an optimal balance between growing the business and addressing harmful exposures.
With so many risks set to impact the way companies conduct business, it’s important to take a comprehensive view, ensuring risks are prioritised and dealt with in the best way. While cyber is likely to top the list for many companies, risks need to be prioritised based on a careful balance of technology, expertise and common sense.
While there is no one-size fits all approach, companies need to use technology and analytics to synthesise critical data and decide which risks are most important to combat. For some companies it may be vendors and the supply chain – for others the list may include geopolitical changes, technology adoption, or customer demographics.
Governance, risk and compliance (GRC) teams can only do so much to get across the new, ever-evolving threat landscape. Though technology has matured to the point that it can do much of the heavy lifting, executives need to ensure they can see all potential risks and pull in the right expertise to make the best decisions.
A change in the way threats and risks are reviewed and addressed is necessary and imminent. The current, ad-hoc and sometimes siloed approach to risk reduces the effectiveness of solutions as decisions are not made with the full view of threats and options on the table.
Without the full scope and understanding of the threat impacting a company, are executives set up to make business savvy choices?
A holistic approach requires that departments across the business – legal, IT and risk, along with senior executives – working together to ensure there is a full, in-depth view of the risks that will impact a company.
Without this view, and a clear, collaborative decision process in place, blind decisions are being made.
Executives would likely make different choices if they knew that there were a host of other risks that stood to negatively damage their business. Or at the very least make decisive decisions about which risks stand to impact the company the most.
Managing threats
Companies need to look at how they can use technology to better manage potential threats. They have the ability to make the process more efficient, ensuring they’re leveraging the right technologies to flag vulnerabilities.
Executives then need to have the right processes in place to empower the right decision makers to determine next steps and the level of action required.
For example, if a dashboard flags an issue, there needs to be a process in place to determine whether the threat requires input from legal or compliance or another department. In this equation, technology is a tool.
>See also: 11 trends that will dominate cyber security
With more data than ever, technology can pull and sort large amounts of data. But without the right decision makers or expertise, much of that data will be ineffectual without the right context. Companies still need a balance of technology and human intervention to address and prevent risks.
Despite the latest technology helping to identify threats, if the right support is not in place to mitigate and escalate risks beyond cyber, the potential damage to the company only stands to increase.
Moreover, there is a need to decipher what the technology is depicting, enabling common sense and experience to be utilised as an effective line of defense.
In order for companies to grow in current market conditions, they need to have a blend of both defence and offense – for cyber and all other risks, they can’t afford to be reactive.
Companies must incite support from the C-suite to actively invest in the right set of technology platforms, expertise and processes to maximise protection and drive growth.
Sourced from Ladd Muzzy, principal, Nasdaq BWise