Formulating a Comprehensive Response to Enterprise Risk
No one is too big to fail
Imagine a world in which every business faces a constant, nearly imperceptible source of operating risk. A world in which even the most resilient, time-honored enterprises encounter financial risk so great, it threatens their very existence. This is the world in which we live today. Every industry, business, and individual is exposed to the growing cast of bad actors aggressively looking to exploit gaps in digital corporate security.
New data from the major security technology companies confirms this premise. According to Symantec, over half a billion personal records were stolen or lost in 2015. Attackers continue to bypass conventional security tools, breaching the clear majority of security architectures. The result is a persistent menace—a barrage of digital invaders focused at times on surveillance, but more frequently on damaging and stealing sensitive data. The proliferation of the “Internet of Things” makes corporate security and business continuity planning an even harder road to hoe.
According to Symantec, over half a billion personal records were stolen or lost in 2015.
Most security solutions are network oriented. Because of the subtle nature of today’s attacks, and because of the unprecedented levels of network data monitored and stored by companies, big data is also beginning to play a role in cybersecurity. By analyzing longer-term patterns and larger sets of data, many companies have improved breach detection and response times. But can these tools alone truly protect corporate assets, trade secrets, brand reputation, and ongoing operations?
I recently moderated a cybersecurity panel in Fort Worth, Texas co-sponsored by the Chamber of Commerce and Bridge Partners. A former senior ranking Department of Defense security analyst told the audience that most companies can take up to 18 months to detect a breach. That does not necessarily mean that data is stolen or assets are damaged during that period. But it does mean that breach detection is often non-existent for extended periods of time. This gives attackers an almost infinite amount of “cyber time” to penetrate an environment and covertly traverse the network, looking for ways to cause harm or capture assets to be ransomed.
Asking the tough questions
Without a fool-proof approach to preventing, detecting, and responding to security breaches, how should the modern enterprise respond? Executive management and boards of directors should seek to understand their overall enterprise risk. This means single-mindedly asking some tough questions about cybersecurity governance and risk management, including:
- Which corporate assets are most vulnerable?
- Is a digital predator sitting on our network today?
- If so, what can they do to our data and infrastructure?
- What might be the extent of the damage and can it be modelled for purposes of planning?
- Do we have the right security technology platform installed and configured?
- How do we quickly deter, detect, and stop attacks?
- How would a successful attack on our network impact our balance sheet?
- Can we quantify our economic exposure and design viable risk mitigation and cybersecurity disaster recovery plans?
Given the ubiquitous and uncertain nature of cyber threats, the answers to these questions can be elusive even for the most well-equipped executive teams and boards of directors. Most organizations lack a proactive, cohesive plan for addressing the financial and operational uncertainties that accompany a significant breach—an event that is practically inevitable.
Developing a comprehensive response
For executives to meet their fiduciary responsibility to shareholders, they must develop and execute a comprehensive strategy that considers financial, data security, infrastructure, and compliance requirements. The most effective approach is a governance and internal compliance methodology that matches the statutory rigor of Sarbanes Oxley. Such an approach requires organizational commitment to automated detection, periodic audits, reporting accuracy, incident management, and role requirements for business and IT departments. It also requires statistical modelling that incorporates actuarial data that can help identify and prioritize the assets that are most exposed and present the greatest risk. Anything less will fall short of properly protecting critical corporate assets.
Accountability for safeguarding data
There are many digital access pathways into corporate systems. Enterprise data is managed and administered inside company firewalls and across ecosystems. This includes data such as:
- Employee records and passwords
- Product design information
- Credit reports
- Sales data
- Personally identifiable information
- Trade secrets
- Health information
These types of data (and many more) are sacred. Leaders who fail to address cyber threats not only jeopardize their careers, but the long-term viability of their companies.
Money is a finite resource for any company. Knowledge capital is not. It is imperative that business leaders apply the resources at their disposal in a thoughtful, prioritized manner to fend off cyber threats and mitigate negative outcomes.