We live in a brave new world and if previous post-pandemic growth case studies are to be believed, big changes are ahead in the way business will be conducted and where employees are located. Technology stands to have a more central role in firms across the board and more employees will end up working remotely after the pandemic.
This shift from bricks and mortar to virtual environment carries its own risks, as does sensitive communication channels with clients, employees, and other crucial stakeholders. Put simply, data travel has significantly increased, and when more data moves around, the risk of exposure and damage increases along with it.
Last year, a government survey in the UK found that only 16% of boards had an understanding of the cyber threats and challenges that they face; yet more than 90% had an existing cyber strategy in place. This indicates that businesses have plans, pathways, policies and procedures in place, but actually converting these into penetration testings and other pragmatic steps were somewhat to be desired.
In light of the aforementioned risks, it’s not a surprise that cyber threats are on the rise. Almost half of UK firms (Cybersecurity Breaches 2020 survey) reporting cyber attacks in the past year, with a third of those reporting weekly attacks. Overall, 40% of firms attacked were damaged in terms of financial or reputation. As for internal cyber threats, those tend to be detected too late with wide-sweeping implications that are difficult to contain and reverse the damage once done.
From a financial standpoint, the macro challenge around data security is related to the value of risk, rather than the asset.
Most of us and our insurers look at the value of an asset as a financial indicator used to measure the impact of loss/theft of an asset. BUT – when it comes to data, it’s only part of the picture.
For example, a financial firm had a database containing 10,000 customer names stolen. If we look at the value of the risk, we will likely find the cost of the theft includes the cost of clients taking legal action, regulatory action against the firm, and the opportunity cost of losing clients. Data being stolen or manipulated has far-reaching consequences in terms of money, time, and reputation.
Digital resilience is becoming the order of the day. Having plans and policies is not good enough. This is no longer a minimum to compete in an ever-changing landscape.
What can be done to manage and mitigate these risks, as we move forward into the next couple of weeks and months in an ever-increasing theatre of risks?
An easy way to look at solutions to cyber challenges is to use a robust framework:
To be able to effectively deploy solutions, it’s paramount to understand the current and potential future threats, and to use the principle of preventative rather than clinical medicine to maximise data health.
This requires experience in dealing with threats, penetration testing, having a robust architecture, and also a strong R&D capability to think today about tomorrow’s threats.
Effective digital resilience is really about being aware of the changing business models after the current crisis, and having an understanding of the value of the risks attached to the assets, thus factoring the amount of spend on protecting a firm’s data.
In the next weeks and months, the overarching driver in many industries won’t be to grow, but rather to protect.