Dealing with cyber risks is a matter for the top management

Cyber security is not a sprint, it's a marathon. It is neither a product nor a state; it is an ongoing process that needs to be strategically put in place within a company by top management – at the board of directors and senior management level. Why is that? These days, cyber risks are rated as the greatest threat to companies; and they are a substantial part of business risk. They can no longer be delegated to the IT department for them to deal with on their own. This means that cyber resilience must be on the agenda of the company’s leadership. The board of directors and the senior management play a key role that must not be underestimated. Find out what this is and how to navigate successfully in our Cyber-Resilience-Guide.

Once again cyber criminals are targeting companies more and more. There are multiple reports in the press and on social media, and there is no end in sight to this negative trend – quite the opposite in fact. Recent studies show that over 60% of Swiss companies have been victims of cyber crime in the past year alone. In comparison to other countries in the DACH region, Switzerland is still more or less getting off lightly. In Germany, 67% of companies have been victims of a cyber attack, and in Austria it's 84%, and the number of unreported cases is likely to be much higher. What is particularly worrying is that, in our experience, the size of the company no longer matters, so you and your company could be hit at any time.

Cyber resilience is part of the top-management agenda

Cyber security is a central issue and is crucial to a company's business success. The effects of cyber attacks are extremely serious and can often even threaten a company's very existence, so it is unsurprising that numerous companies impacted by them have already been forced to file for bankruptcy. SMEs in particular are not out of danger when it comes to cyber attacks. In addition to the financial impact, they can also lead to other, very diverse consequences:

• Damage to their reputations
• Loss of customer and supplier confidence
• High costs for fines and legal fees
• Damages and compensation payments
• Lost time
• Lost revenue, recovery costs
• Insolvency

This precarious risk situation alone means that it goes without saying that cyber resilience needs to be on the agenda for the board of directors and senior management team of every company. But what exactly does cyber resilience mean? Well, what we mean by it is the merging of cyber security, risk management, business continuity and resilience practices that enhance a business's ability to withstand and recover from a cyber attack.

Concrete tasks and responsibilities of the board of directors and the senior management team

According to the Swiss Code of Obligations (CO), as a member of the board of directors and the senior management team, you have a role that is a particularly decisive and responsible one, which is to develop an integral risk management system, to implement it successfully in the company and to monitor it. Now the question is, what is the situation like in your own company when it comes to these matters?

Don't worry if you don't have a definitive answer. We are here to help you with that. In this article, we will focus on the issue and challenge of what you, as a board member, need to do prior to a security incident. We're going to concentrate our full attention on prevention. In our Cyber-Resilience-Guide which we have developed especially for boards of directors and management boards, you will find out about complete all-around protection, and we will be focusing on your entire area of responsibility in terms of cyber security. By this, we mean what you need to do before, during and after a security incident. Our goal for and expectation of you is that you achieve a high level of cyber resilience in your company.

Cyber Resilience as a strategic opportunity for your company – an the importance of a partner is clear

It must be admitted that the demands are as big as your responsibilities. However, it is obvious that it is not your job at the operational level to implement all of this or even to know about the latest technology. Ideally, you are able to rely on the team of experts around your CIO and CISO for that. It is critical for you to be able to get information from your IT and security managers by using targeted questions that will enable you to assess how resiliently and effectively your organisation can withstand cyber threats, or where you may need to intervene and respond. Consequently, cyber resilience is also a great strategic opportunity for your company to set itself apart from your competitors, as well as to boost the trust of your customers, suppliers, partners, investors, employees and other stakeholders by having managed a cyber incident in a professional manner. But it is not nearly enough to focus on defence alone. It is much more important to strengthen your overall resilience, to recognise attacks promptly and react even faster. We urgently recommend that you get an experienced, competent partner on board who can provide you with professional support in exactly this kind of situation. As Dr Stephan Wartmann, CEO of BRUGG GROUP AG, puts it:

The three factors in the success of your cyber resilience strategy

It is definitely worth aligning your cyber strategy with resilience. To ensure that you are able to do full justice to your board and management duties, we recommend the following approach:

1. Embrace cyber resilience at the highest level of the company: delegate responsibility for action to a body or to a specific team of cyber resilience experts. Conversely, you need to take leadership responsibility. Under no circumstances should this must be delegated.
   
   
2. Incorporate cyber resilience into company-wide risk assessment: ensure that management has integrated cyber resilience and cyber risk assessment into the business strategy and company-wide risk management, as well as into budgeting and resource allocation.
   
   
3. Build appropriate cyber resilience measures and monitor their implementation: a modern, effective strategy is designed to promptly detect cyber attacks, prevent hackers from causing damage and increase the company's resilience to cyber attacks. In line with this strategy, we recommend that you proceed based on the globally renowned “NIST Cyber Framework” which splits cyber measures in Switzerland into five areas as the ICT minimum standard: identify, protect, detect, respond and recover.

A checklist to assess your Cyber Resilience

In the guide, we have laid out these three success factors for you in detail. Now let's go one step further. A checklist is intended to help you assess for yourself your company's resilience. Ideally, you should be able to answer all of the following questions with a definite “yes”. Here are our “top 6” points:

1. Are you kept regularly informed about cyber resilience issues and are you able to assess their impact on your own company?
2. Have you defined who is responsible for taking action? Who assumes this responsibility?
3. Have you identified your key information assets and made a thorough assessment of your vulnerability to cyber attacks?
4. Have you conducted a cyber security risk assessment? And is it reviewed on a regular basis?
5. Do you know your current risk situation, the vulnerabilities and the impact on your cyber resilience?
6. Do you have a contingency plan in the event of a cyber incident? Is the contingency plan regularly tested and are backups and offline backups of relevant assets available promptly?

Be honest now: how would you rate cyber resilience in your company? You can find the complete self-assessment checklist in our Cyber-Resilience-Guide.

We invite you to a round table discussion

Cyber risks are a matter of the boss. We would be happy to provide you with support for your critical task of establishing an effective security strategy and achieving the best possible cyber resilience. Our experience, and in particular the positive feedback from our customers, has shown that a personal dialogue sharing our experience face to face is the most effective way of achieving this. By sharing our experiences, we will show you where and what the biggest challenges and threats are in the cyber security ecosystem. Schedule your preferred date now. We look forward to the discussion!