Lastest news

Develop your cyber resilience

Nov 06, 2020

With cybersecurity an increasing concern for companies, how can organisations keep on top of cyber controls? By investing in three things – people, processes, and technology – companies can develop robust cyber resilience, says Colm McDonnell.

Cybersecurity has been a priority for boards for several years. It has come into sharper focus recently, however, as COVID-19 forced a digital transformation whereby teams – and often entire organisations – now work remotely. According to the Deloitte Future of Cyber Survey, 49% of C-level executives say that cybersecurity is on the board agenda at least once a quarter.

And so, companies are turning their focus to cyber risk management at an organisational and national level. You can see how the focus has developed over the years in how industry regulators have approached cyber risk management – the introduction of GDPR and the Network Information Security (NIS) Directive, which focuses on cybersecurity controls and resilience, are just two examples.

Recent global events have accelerated many companies’ digital transformation journeys to facilitate increased remote working and online transactions. Digital transformation can be extremely effective for businesses, but it comes with its own risks. Organisations may struggle to prioritise risk if they have not settled on a specific framework and governance model, or if different areas of the business use different frameworks to assess and report cyber risk.

Several cyber risk frameworks have been developed over the years, and it is common to see organisations utilise elements of one or more frameworks to support their cyber risk objectives. The following common areas of focus are key to successfully managing cyber risk:

  1. Obtain buy-in from the top for the cyber programme. Irrespective of the framework(s) chosen, develop a common risk taxonomy that facilitates open and transparent reporting.
  2. Understand what matters most by identifying the organisation’s crown jewels (i.e. its systems and processes). This can help you focus on what is truly important and needs to be protected.
  3. Understand the threat landscape and how it might disrupt the confidentiality, integrity or availability of these assets.
  4. Identify your stakeholders. Is there an external compliance element that needs to be addressed? Cyberattacks can result in direct revenue loss, loss of customer trust, regulatory fines, and a fall in a company’s share price.
  5. Develop and deploy preventative and detective controls to support the management of cyber risks.
  6. Test the effectiveness of these controls and periodically review the threat landscape.
  7. Develop and frequently test your response plans to ensure your organisation can recover critical assets in the event of an attack.

It is impossible to provide 100% assurance on cyber controls, but preparing your organisational response (people, process and technology) to an adverse cyber event and focusing on your core services are crucial steps to developing cyber resilience.

Colm McDonnell is Head of Risk Advisory in Deloitte.