Cyber risk management: the basics

publish date : Jun 2017

Nearly all companies today are, in effect, high-tech companies. It's true by virtue of the way in which they trade and transact their services: reliance on technology, databases, and remote connections is heavy.

Every business is connected, but every connection creates vulnerabilities. That means every company should prepare and execute an effective cyber risk management programme, and do it before losses take them down.

Many steps are easy. Simple staff education is step one.

Phishing is a hackers' gambit used to gather information, or to implant malware onto company systems. It is a branch of the technique known as 'social engineering', which is little more than running a short con to manipulate employees into granting access to systems, revealing passwords, or otherwise compromising a firm's cyber security.

Training can help to ensure that every employee is aware of these risks, can identify suspect messages, calls, or visits. It should ensure they know the procedures to follow when an attempt occurs. But surprisingly few companies offer such training, even to managers.

Most businesses have security protocols intended to protect their systems from hackers, but a surprisingly large number of them are inadequate. Cyber criminals look regularly for weaknesses in commercially available security software, and exploit them before the loopholes are closed. Staying current is critical.

More complex systems present even more vulnerabilities. Simply meeting an international standard, for example, probably won't fit the unique risk profile of a specific company's systems. Very careful enterprise risk analysis, probably with the help of external experts, is essential.

Vigilance is another requirement. Cyber risk management cannot be implemented and forgotten. Everything from the vulnerability of systems to the skills and motivations of those who seek to exploit security weaknesses is in constant flux. That means businesses must constantly review and reassess not only their existing security measures, but also the evolution of the targets and vulnerabilities the business presents.

This is especially true when new processes or systems are introduced. Risk assessment must be begun again from the top down, because a new system, even a well-protected one, may create big new security gaps when it is integrated with existing security. Similarly, staff cyber-security training should be regularly repeated.

Every business is different, so every company needs appropriate risk management, including regular training. Exactly what to differs from firm to firm. Similarly, insurance coverage must be put together with the specific risks and vulnerabilities of each client in mind. Terms of coverage should be revisited and amended at least annually, to ensure that the persistent evolution of the hackers' threat is adequately covered.

Cyber risk need not be a worry. With thoughtful risk management and effective insurance measures in place, companies can be confidently protected from the ever-evolving risk.

Return to new articles