[Author: Javier Gutierrez]
It is safe to say that Board members, CEOs and other key decision-makers everywhere, recognize the significance of cyber risk management and the heavy investment that initiatives in this field represent.
Cyber risks in the shape of ransomware, phishing, malware and many other threats are something organizations need to be prepared for. Cyber risk management oftentimes is viewed as a complex, challenging, and highly technical issue to stir away from. Avoiding to address this GRC use case and failing to invest in it is a critical mistake for any organization.
UK Cyber Security Breaches Survey 2022
The UK Cyber Security Breaches Survey is a yearly, in depth, research study of cyber resilience in the UK. This study is mainly used to inform organizations of cyber security government policy and aligning organizations with the UK’s national cyber strategy in order to ensure secure business activity.
The survey is worthy of further reading if only to realize how many companies are wrestling with the same issues, almost regardless of size or sector. Sure, it focuses on the UK market, but the reality in this country is not different to the one organizations face in other developed economies where they conduct business.
It highlights, amongst other things, that 39% of UK businesses reported cyber attacks in the last 12 months. Amongst these cyber risks, the most common attack was phishing (83%) and 21% reported more sophisticated attacks, such as: denial of service, malware, or ransomware attacks.
Gaps in Your Cyber Risk Management Program
Despite cyber risk management being perceived as a high priority area within the business, there are several weak points within the cyber security processes of many organizations:
Cyber Risk Management Knowhow
When it comes to dealing with cyber risks, there is a critical lack of technical knowhow within smaller organizations and at a senior level within larger businesses.
The danger of this lies in the fact that decision-making tends to become reactive and investment in cyber security initiatives are viewed as a cost rather than as improvements to a weak cyber program.
Cyber Resilience Budget
Securing a budget for cyber resilience initiatives, against other competing organizational priorities, is extremely complicated. This situation poses an interesting paradox as decision-makers say they recognize the significance of cyber risk management and yet fail to invest accordingly.
IT & Third-Party Risk Management (TPRM)
Outsourcing core processes of the business happens in every area of the organization and are becoming increasingly more common. Outsourcing IT risk management initiatives to a third-party is a common avenue many organizations go through.
In theory this is completely ok as the benefits of hiring a specialized third-party are great. However, whenever a third-party is brought into the organization, this relationship becomes the entry point for cyber risks. The study found that less than one in ten organizations actively monitor the risks within their supply chain.
Remember, an organization that uses vendors or suppliers can only be as resilient as their weakest third-party.
Effective TPRM is all about understanding that working with any third-party carries an inherent risk. Take a detailed look into effective TPRM strategy, common challenges and success factors in this recent TPRM article.
[View source.]
