Cybersecurity balancing act: Digitising your business in the face of uncertainty
As organisations face the inevitability of ‘digitisation’, the challenge of ensuring effective cybersecurity protections for your business is not becoming any easier.
The messages being sent by a range of global consulting, analyst and technology vendor organisations – not to mention regulatory and government agencies – are consistent and increasingly strident. Additionally, the evidence is that the rate of successful cyber-hacks and data breaches is increasing.
The bottom line, in essence, is that cybersecurity risk must not be ignored. More importantly, it takes a whole of business response to minimise the cyber-threat to your organisation.
The bottom line is that cybersecurity should be a core element of any organisation’s business strategy, and cannot be left to your IT department alone to attend to. Period.
Maintaining the right cybersecurity balance in the face of constant change.
One of the key challenges facing organisations heading down the digitisation path, is balancing the very real risks of cyber loss with the business benefits that would arise from digitisation.
Getting this balance right is no trivial exercise for a wide range of reasons, such as :
- Increasing rates of technological-led innovation and change. Protecting your organisation against an innovative, volatile and unknown series of threats is the real challenge. For example, shadow IT and the Internet of Things (IoT) opens up new cybersecurity vulnerabilities.
- Low digital literacy of company boards and senior executives, contributing to outmoded IT leadership expectations and reinforcing legacy IT departmental strategies and structures.
- Siloed internal organisational structures where cross-functional collaboration inhibits intra-organisational agility and adaptability. Is Cyber-security ‘not my job’?
- Lack of C-suite leadership clarity and coherence over how, specifically, IT contributes to the organisation’s intrinsic value. If the value of IT and digital assets (including business systems, information, processes) is not known, how can this be valued?
Question is: Are your Information Security measures delegated to your anti-virus vendor and IT department to take care of? If so, the time to reconsider this approach is now.
Crossing the red line. Physical-cyber risk.
Moving beyond the privacy issue for the moment, cyber-crime and hacking are now having their presence felt in the real world.
Rather than the seemingly daily theft of company secrets, credit card details or personally identifiable information (PII), (which for the most part do not endanger lives or directly destroy physical assets), the line is crossed when it comes to physical-cyber risk. This is where things can get very serious.
Documented examples of physical-cyber attacks include:
- The 2014 case of a German ironworks being damaged by a cyber-attack.
- Stuxnet – a tiny computer worm that infected the industrial control systems of an Iranian uranium-enrichment plant (2010), resulting in their destruction.
- The early case (2000) of Maroochy Water Services on Queensland’s Sunshine Coast (Australia) where a disgruntled ex-employee used a laptop computer and a radio transmitter to remotely take control of a sewage pumping station to release 800,000 litres of raw sewage into local rivers and parks.
- A Jeep 4×4 was ethically hacked and controlled remotely wirelessly, overriding the driver’s ability to control the vehicle.
- A security expert successfully hacked into the flight control systems via the in-flight entertainment system on Boeing 737s, 757s and an Airbus A-320 aircraft while airborne. On one instance he took control of the aircraft’s thrust management computer, which allowed him to make the plane climb on his command.
If your organisation deals with physical assets, has physical processes that could cause physical damage, the physical-cyber risks should not be ignored.
When all else fails: Cybersecurity insurance policy?
Cyber-risk insurance is now a multi-billion dollar business experiencing exponential growth.
While cyber insurance is good news for the insurance industry, be aware that the maturity of cyber insurance industry is low compared to other insurance products that have been around for a long time.
Consider these 6 points before you hand over your money and sign a Cyber risk insurance policy
The buck stops here.
At the end of the day, company executives should acknowledge that fact that the cyber-risk genie is out of the bottle, never to be returned. It is incumbent on all business executives, managers and staff to have a solid understanding of, and keen interest in cyber-threats. Only when a unified, well-architected cyber-risk framework is implemented organisation-wide, backed by universally high degree of staff and management engagement, will the risks be optimally treated.
Irrespective what strategies your organisation adopts in response to cyber-threats, remember that:
Responsibility can be delegated or outsourced, however accountability cannot.
The question is: Who is accountable for managing your organisation’s cyber risks, and are the resources applied appropriate for your specific organisation?