Increasing cloud usage, growing mobility, working from home, virtualisation, the “Internet of Things” and so on are all creating new challenges and threats in the cyber security ecosystem. This is why cyber risk management is becoming even more important, and there must be a shift from it being the operational underdog to becoming more visible for senior management. Ultimately, the responsibility for a company's cyber resilience lies with them. In this blog article, you will find out how to set up an efficient cyber risk management system.
There is no such thing as a risk-free life, either in private life or in the business world. Our lives are shaped by risk, assessing it and protecting ourselves against it, particularly in the cyber world, where there are numerous risks that can potentially cause great damage. Cyber-attacks are among the biggest business risks for companies all over the world. The same is also true for Switzerland. Last year alone, the National Cyber Security Centre reported over 10,000 cyber attacks, and the number of cases that go unreported is probably much higher.
Some of the biggest drivers are regulatory pressures, competitive changes, compliance requirements, cyber crime and the growing complexity of infrastructure. Managing them and their impact on risk and compliance are two of the biggest challenges faced by companies today. At the same time, today's companies are operating in a complex, highly dynamic and often global environment. Consequently, the demands being made on risk management and the internal control system are steadily mounting.
Risk management is a job for senior management
On the one hand, your cyber security has to cope with the traditional risks like targeted malware, data loss, etc.. On the other hand, there are always new and more demanding challenges that entail new technology and consequently risk too. In addition, there are numerous regulatory requirements to be met, such as the E-DSG and the GDPR. Senior management is responsible for this. According to OR 716a, risk management is implicitly a task for the board of directors. With the revisions (2008 and 2013), the internal control system (ICS) and the risk report were also explicitly stipulated in the Code of Obligations. This means that the board of directors bears the overall responsibility for risk management in the company, defining the risk strategy, periodically reviewing the risk profile, carrying out a risk assessment and reporting on it in the management report.
By moving towards a broader definition of ICS, the recommendations of the Swiss Code are even more oriented towards comprehensive risk management, and they include all activities for identifying, assessing, controlling and monitoring risks in relation to the attainment of objectives within the company. Financial, operational (e.g. cyber risks) as well as strategic and market-specific risks all need to be taken into consideration.
Cyber risk management is part of corporate resilience
For every kind of risk that may hit your company, you have to define adequate measures to control it and monitor the effectiveness of these measures. To do this, you need to identify, assess and manage the risks and define the risk strategy (the appetite for risk). In this respect, the risk strategy as well as the choice of the right measures to manage risk is hugely important. This is an integral part of corporate risk management, and it needs to be handled with a great deal of tact. Digital transformation is making companies' risk situation even more nuanced, the partner/supplier network is becoming more extensive and the number of applications and interfaces is growing exponentially. (Find out why security in your supply chain is so important in our earlier blog.)
We are aware that cyber risk management is a challenging job, one that is worth managing properly! So we frequently come across situations where companies have resigned themselves to the perceived effort involved. That is why we have briefly summarised the most important points for your cyber risk management.
Align risk management with the organisation's goals and objectives.
Identify the risks. Systematically identify all (internal and external) risks that affect an organisation and that may interfere with successfully achieving its goals and objectives. Make a list of these.
Assess the Risks. Analyse the identified risks in terms of the likelihood of them occurring and their potential impact. Compare the risks with pre-established risk acceptance criteria to priorities the risk response.
Decide on a risk management strategy. Define how to handle risks based on risk appetite: Based on how a risk evaluated, should it be accepted, avoided, reduced, spread or transferred?
Control the risks. Monitor the risks that have been identified and are current for any changes in line with predefined risk indicators. Check whether these measures have been successful.
Ensure that there is appropriate communication of risk. Communicate risks and risk outcomes in a transparent, comprehensible manner – for the benefit of stakeholders, to inform decision-making and for information purposes.
Think in terms of scenarios
Cyber security revolves around confidentiality, integrity, availability and traceability. The traditional, control-based approach starts from a framework (e.g. ISO/IEC 27001) and tries to map protection objectives as completely as possible. But due to growing digitalisation, virtualisation, networking and the use of cloud services, this presents an enormous challenge, so it is recommended that you base your cyber risk management on scenarios. You map the risks with process- and service-oriented scenarios and, at the same time, define the most important (protective) measures.
You have identified losing mobile devices as a potential risk. A variety of threats can be responsible for loss – via theft, malfunction or destruction, just to name a few. On top of the financial risk, depending on the mobile device's vulnerabilities (e.g. no encryption, no password or a weak one), there may be other risks such as the loss of important company data or breach of data protection laws, etc. Measures like MDM solutions with encryption and a strong password (2-factor authentication) can greatly reduce the risk impact. However, there are still residual risks like user misconduct ("creatively" bypassing security regulations). Of course, you could also further minimise this residual risk by creating employee awareness in a targeted manner accordingly.
Try it yourself – what is the risk scenario when your staff shares data with external partners via cloud storage?
- What are the threats your company data is exposed to?
- What are the vulnerabilities that can arise when you use cloud storage?
- Which assets/values are affected?
- What are the risks for your company - and how could you reduce them?
- What residual risks remain?
As you see can see, thinking in terms of risk scenarios does not just help you to visualise the impact of risks on the company and your stakeholders; it also helps you to communicate the risks in a way that best serves the target audience, because this approach does not require in-depth cyber security expertise.
Cyber risks are dynamic
We can all agree that cyber risks are business-critical. They are an ever-present threat and affect all of the parties involved – companies themselves, their customers and their partners. However, cyber risks are constantly changing, making cyber risk management an ongoing process. You must already be making considerable efforts to avert potential threats that could put achieving your strategic goals in jeopardy. Despite this (and indeed precisely because of this), hand on heart – can you say with a clear conscience that you have covered everything when it comes to cyber risks, and that everything is kept up to date at all times? In one of the upcoming blogs, we will show you why monitoring your own cyber risks is so important.