Like many people, I am Cyber aware, but I wouldn’t consider myself Cyber educated. Last month I began a course with Harvard remotely on Cyber security.
Here are some initial high-level confronting insights;
90% of executives are not prepared to deal with a Cyber-attack and cannot interpret Cyber reports.
40% of executives feel they are not responsible for the repercussions of a Cyber-attack.
Cyber-attacks are asymmetric, with hackers having low risk and defenders with high risks due to an impossibly large surface area to protect.
The pandemic forced many organisations to implement tactical arrangements to continue operational continuity; some of these arrangements are now permanent and have inadvertently produced new risks. These risks are across three principal areas.
Business and operational risk - direct or indirect loss from the failure of key business systems processes, procedures or people.
Reputational risk - loss or damage from harm caused organisational image or reputation.
Legal and compliance risk - an action against an organisation due to breaking the law or regulatory requirements.
Cyber risk requires broader business management, with the technology team being a contributor. An organisation that exhibits these characteristics is adaptive, with lessons learned and risk management as part of their culture.
How can an organisation evolve from their current state?
These are the six primary areas to be considered.
Cyber threats and risks to business.
Identification of critical systems, networks, and data to operations.
Roles of governance and leadership within a risk management plan.
Taking stock of Cyber security technology.
Consideration of the legal implications of breaches.
Incident response and risk mitigation to foster Cyber resilience.
A traditional approach to Cyber security is designing a defensive perimeter to protect valuable assets. It helps with conventional attacks but is less adaptive to changes in the Cyber landscape. There are five elements of a successful contemporary approach to Cyber risk management.
I am now assisting organisations in moving through these elements by initially providing structure with facilitation. I have an active Cyber engagement and a client case study which will be available in February.
Feel free to make contact if you wish to discuss your Cyber situation.