Cyber resilience and the digital enterprise
As the digital transformation of organizations rises and we collectively shift to living more of our lives online, our cyber safety has never been more important. The internet of things (IoT), made up of products and services that increasingly connect objects to computing systems, now accounts for an estimated 30 billion connected devices. While IoT has innovated our workflows and continues to improve efficiency for many companies, it is nearly impossible to transfer the risks of cyber threats. Cyber resilience must, simply put, involve a top-down and bottom-up effort from inside the organization.
Balancing technology, processes, and people
“The C-Suite has a lot to gain if it embeds cyber risk management into its mindset and strategies, and much to lose if it doesn't,” said Sebastian Avarvarei, Director of Advisory Security Services at Wolters Kluwer, at a recent cybersecurity conference. “Furthermore, it is important for the C-Suite and senior executives to realize security is there to enable businesses to evolve faster and go further, without the pain of getting derailed by security issues,” said Avarvarei.
“Cyber resilience is the ability to bounce back from an event and it’s not just up to IT, the entire organization must ensure everyone is aware of the risks and prepared to respond and recover with the help of control-processes and technology,” says Elizabeth Queen, VP of Risk Management, Corporate Treasury & Risk at Wolters Kluwer. In other words, organizations must take their cyber resilience into their own hands by balancing technology, processes, and most importantly, its people.
How to build cyber resilience
This 2018 McKinsey article highlights that risk managers consider cyber risk to be the biggest threat to their business, with 16% of respondents saying their organizations are well prepared. Smart organizations are responding to the clear call to action; focusing on these four practices can help companies build cyber resilience in the digital enterprise:
1. Engage the C-Suite
It is now a generally accepted fact that cyber risk and resiliency need to be C-Suite level concerns and no longer safely tucked away in IT or ignored. Cyber risks affect every organization no matters its size or sector, and should, therefore, be included in management and governance processes. Leadership needs to acknowledge the importance of keeping data secure and if the C-Suite doesn’t drive awareness, then training will be ineffective.
“Fundamentally, the C-Suite wants the same thing: happy, trusting customers served by healthy engaged productive people, conducting business sustainably, compliantly, and profitably,” states Elizabeth Queen. According to Queen, “cybercrime threatens this equilibrium, whether looking at it from an engagement, trust, sustainability, or business perspective. The only effective way to manage a rapidly evolving, multi-dimensional threat like cybercrime is with a united multidisciplinary, risk-based approach.”
2. Unite stakeholders to build awareness
Unfortunately, no organization is immune to the risks presented by cyber threats. In January 2019 alone, according to itgovernance.co.uk 1.76 billion records were leaked from various data breaches around the world in January 2019 alone. Building awareness of these threats must be a top-down focus and, in many cases, specialized roles must be introduced, for instance, a Chief Information Security Officer. New roles help build awareness and often unite employees.
In May 2019, Wolters Kluwer detected ransomware in a portion of our environment, so we know firsthand how disruptive and concerning this can be. This experience tested our preparedness and has made us stronger and more resilient than before. While we proactively took a broad range of customer and internal applications and platforms offline to protect our systems, applications, and customer data, only a small percentage of our products and applications were infected by the ransomware. We promptly informed our customers and employees of the incident and maintained regular communications with them. We engaged with a leading cybersecurity technology firm to conduct a forensic investigation of the incident. The firm has confirmed that there is no evidence that customer data or confidential information was compromised.
At Wolters Kluwer, we work hand in hand with best-in-class global firms that help us evolve our preparedness, prevention, protection and response programs in the face of changing cybercrime. Our employees are empowered to develop their security mindset and use good judgment through regular up-to-date trainings and knowledge-sharing on the characteristics of cyberattacks. According to a recent GetApp survey, 43 percent of employees are left to fend for themselves against cyber threats, receiving little to no data security training. As a result of our training, our employees were able to create a united front in May 2019 during our malware incident. Across the board, all employees came together to respond and solve the challenges faced both on their teams and by our clients.
3. Make security pragmatic
“Security is not about technology, it is about the business and requires understanding business goals so that security can empower the business. At the end of the day, it is just another quality aspect of your product and services,” said Avarvarei. Once you start viewing security as a quality you can measure, you can begin defining your metrics. This means KPIs and service-level agreements, and most importantly, understanding your audience. “When it comes to metrics, less is more. Remember, there’s a cost in measuring targets and too many targets signal a lack of priorities.”
Protecting the interests of your customers, employees and company should be your top priority when building cyber resilience and setting up your cyber readiness.
4. Provide the right incentives for reporting metrics
Performance goals are the classic measure of what’s important for your organization, scaled down from your macro objectives. Therefore, incorporating cyber resilience tactics into performance goals and assigning a dedicated security budget into organizational budgets, whether that be Finance, IT, Legal or Marketing, serves organizations’ incident response plans.
Cyber resilience is up to every one of us
As organizations increasingly produce intangible assets and infuse products with unprecedented interconnectedness, cybercriminals are innovating how they target intangible assets. Risk management and cyber resilience need to be taken seriously by the C-Suite to protect customers and employees through a pragmatic and measurable cyber resilience program. Moreover, providing the right incentives for reporting metrics and monitoring cyber safety contributes to incident response plans.
Today, cybercrime is widely believed to be an inevitable event which requires a proactive approach to building resilience. Perhaps most important in setting up a cyber-resilience approach is uniting stakeholders to increase awareness.
Guided by our C-Suite, Wolters Kluwer invests heavily in cybersecurity, risk awareness prevention, protection, and response. However, at the end of the day, cyber resilience is up to every one of us. If we can understand and manage this risk, we will also be well-placed to innovate expert solutions for the road ahead.
As a digital company in a digital world, we continue to focus on cybersecurity and resilience, with the success of our customers at the center of everything we do. Learn more about how Wolters Kluwer delivers impact.