Business is almost wholly reliant on digital platforms, creating a significant risk that requires an integrated response.
By Michael Davies, CEO, ContinuitySA
Nobody needs reminding that cyber risk has become one of the most serious that businesses face. The Institute of Risk Management’s 2018 Annual Risk Report shows that cyber-attack is the No. 1 industry risk rated on impact in South Africa. Other research tells us that this type of risk is increasing in both frequency and severity.
In fact, many commentators—myself included—now take the view that companies should assume that a cyber breach will occur at some point. Protection remains critical, of course, but it’s equally important to know how to respond in order to minimise damage and get back to normal operating conditions as soon as possible.
We call this capability cyber resilience.
Customers, business partners and regulators are all increasingly intolerant of both system downtime and data losses. Indeed, regulations like the Protection of Personal Information Act (PoPI) and the European Union’s General Data Protection Regulation (GDPR) impose penalties for data breaches.
Mitigating cyber risk is no easy task. A study conducted on behalf of the New York Stock Exchange provides a reality check: only 4 percent of directors are very confident that they are secured against cyber-attack, whereas 66 percent are less than confident. Nonetheless, governance codes like King IV and, increasingly, legislation make data and IT governance a board responsibility.
All of this makes it imperative that the company integrates cyber resilience into the broader business continuity strategy to maximise its ability not only to protect against a data breach, but to detect when one has occurred and recover from it.
Follow these five crucial steps to achieve this integration:
- Align IT and business to a cyber-resilience strategy. A critical element will be to use a common language to enable this alignment. Neither party will be effective working solo.
- Get top management buy-in. As with most business initiatives, having executive sponsorship is critical to gain traction—and receive budget. Given the importance of business continuity as a whole, and cyber resilience, this sponsorship should be at board level.
- Get the balance between risk appetite and resilience right. There is no one-size-fits-all approach. Companies must take the time to understand their particular threat landscape, and their risk appetite. Mitigating risk costs money.
- Develop a comprehensive cyber strategy incorporating people, processes and technology. As with business continuity, a multi-pronged approach is required. Everybody in the company, and every process, uses technology, so all must be involved.
- Create a holistic resilience culture of protect, detect, respond and recover. Protection is vital but, as noted above, is unlikely to be fool proof, so the ability to detect that a breach has even occurred is vital in order to trigger a suitable response and recovery.
 NYSE Governance Series. Cybersecurity in the boardroom (2015), available at https://www.nyse.com/publicdocs/VERACODE_Survey_Report.pdf.