Risk Management: Cybersecurity must be at the heart of the global strategy
26/07/2018
8min
According to AMRAE (Association du Management des Risques et Assurances de l'Entreprise), cybersecurity-related risks moved from 7th place to the top 3 of risk managers' main concerns in 2017. This is not really surprising: in recent years, the production, use and storage of data have become strategic topics for companies.
With the digital transformation of companies, the subject of data security now affects all businesses, which further multiplies the risks associated with it. In addition, regulatory pressure is forcing organizations to structure data protection, as was the case in May 2018 with the implementation of the RGPD.
Also read: our article on RGPD and sensitive data.
Another growing phenomenon: cyberattacks, which are increasingly frequent and take new forms, use new vectors, to hack, destroy or kidnap data. With a phenomenal speed of propagation, as experienced in 2017. Remember " WannaCry ": on its own, this attack caused 200,000 victims in 2 days, including the British health system, Telefonica in Spain and Renault in France, to name only the largest.
Read: 3 cyberattacks your company could be exposed to.
Yet, even today, 74% of executives say they are vulnerable to cyber attacks*. It is therefore urgent to react, and to rethink Risk Management in its entirety, by integrating cybersecurity and putting it at the heart of the digital security strategy. At Blue Soft, we have fundamentals in Cybersecurity, which we share with you here.
Manage cybersecurity risks in a comprehensive manner
The first thing to consider, and we emphasize this point, is that cybersecurity is not a "separate" element of risk management, but a subject that must be integrated into all the risks that a company faces. And it is a subject that requires holistic management, encompassing technology, governance and training.
Cybersecurity requires constant vigilance shared by all. But how to do it?
Creating a Cyber Security Culture (CCS)
We are convinced that security is something that needs to be deeply integrated into the organization's culture. It's not just a matter of raising awareness, it's a matter of getting employees really involved in a common sense of responsibility. Of course, training is necessary, but it is only one step, crucial of course, but incomplete in itself.
In order to develop this safety culture, the risks specific to the company, its business and the roles and responsibilities of employees must be identified. The better we know them, the better we can limit their scope and prepare corrective measures. Weak links must be identified and repaired.
According to ENISA, the concept of Cyber Security Culture (CSC) refers to people's knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values related to cybersecurity, and how all of these attributes are manifested in their behavior toward computer and digital technologies. CCS encompasses familiar disciplines such as cybersecurity awareness and information security benchmarks. But its scope and application is broader, including digital security considerations in the functions, habits and behaviors of personnel, encapsulating them in their daily activities.
There are several factors behind the emergence of CCS as a real need in organizations. For example, the way an organization behaves is highly dependent on the beliefs, values and actions shared by its staff, and this includes their attitude towards cybersecurity.
It is now recognized that cyber risk awareness campaigns alone are not enough to protect a company from increasingly sophisticated cyber attacks. There is also a strong belief that technical security measures do not exist in a "vacuum", and must be seamlessly integrated into business processes to avoid employees being torn between "fulfilling their mission" and "complying with the security policy".
The role of the Risk Management expert will be to support and inform Top Management's decisions on all these elements, while maintaining this global vision.
Cyber security requires iteration in your risk management
Another key point in enterprise risk management is iteration. It is true that before the digitalization of the company, things were relatively stable. Most of the time it was enough to lay the foundations, to write the rules and that was enough.
Obviously, this is no longer the case, and an IT security rule that is valid one day may be obsolete the next, or even require a complete overhaul of the information system management. In particular, it is necessary to permanently take into account the evolution of risk and its dynamics:
- Technological evolution: new sources of data, new types of threats
- The evolution of relations with customers and suppliers
- The multiplication of exchanges with subcontractors, data hosting, exchange platforms used, etc.
All these elements are in motion, the transmission of information takes forms and paths that are constantly changing. Is it difficult to keep track of all this? But it is absolutely essential!
On the same subject, you can also read our article on 5 risk management tips.
What methodology in practice?
If you are aware of the challenges of cybersecurity in your company, it is not always easy to implement it in practice. An external expertise is then precious, and constitutes a methodological contribution, knowledge and understanding of the risks, an external and objective eye to the whole process. Here is a summary of the main stages of a support.
Start with a risk assessment
It all starts with the construction of a baseline that will allow us to measure the risk and define the improvements to be made.
In this step, decision makers will be asked to decide whether to reduce, transfer, accept or eliminate the measured risks.
Establish a customized cybersecurity program
There is obviously no standard program, each company must define policies, practices, intervention plans, risk recording, etc. that are adapted to its situation, size, locations, exchanges, etc. ....
Establish effective protection
Tools must be in place to monitor the entire information system and detect intrusion attempts, according to a defined and adapted process.
Appoint a Chief Information Security Officer
There cannot be an unlimited number of referents, but a Chief Information Security Officer, who will ensure control, training, and respect of the process by all.
Train employees in cybersecurity
Of course, training remains essential: employees must be informed of the new protocols, and it will be necessary to define sensitive audiences who need additional modules, who will be reference relays and will be guarantors of the process, under the responsibility of the head of information security.
Businesses tend to believe that the rise of new digital technologies and information systems would only bring benefits. It turns out that criminal organizations share this view and see cyber as a wonderful opportunity to diversify their malicious actions. Thus, they have been attacking companies of all sizes, while gaining exponentially in skills, sophistication and professionalism. At the same time, they benefit from the inherent characteristics of the Internet, where the traceability and attribution of attacks remain extremely difficult.
Technology is essential, but it is not enough to prevent all threats from cyberspace... To be truly comprehensive and effective, a cybersecurity program must instill a genuine corporate culture of securityshared by everyone, at every level of the company, from managers to employees. Your organization's defense strategy, competitiveness and even survival depend on it.
Risk Management: Cybersecurity must be at the heart of the global strategy
26/07/2018
8min
According to AMRAE (Association du Management des Risques et Assurances de l'Entreprise), cybersecurity-related risks moved from 7th place to the top 3 of risk managers' main concerns in 2017. This is not really surprising: in recent years, the production, use and storage of data have become strategic topics for companies.
With the digital transformation of companies, the subject of data security now affects all businesses, which further multiplies the risks associated with it. In addition, regulatory pressure is forcing organizations to structure data protection, as was the case in May 2018 with the implementation of the RGPD.
Also read: our article on RGPD and sensitive data.
Another growing phenomenon: cyberattacks, which are increasingly frequent and take new forms, use new vectors, to hack, destroy or kidnap data. With a phenomenal speed of propagation, as experienced in 2017. Remember " WannaCry ": on its own, this attack caused 200,000 victims in 2 days, including the British health system, Telefonica in Spain and Renault in France, to name only the largest.
Read: 3 cyberattacks your company could be exposed to.
Yet, even today, 74% of executives say they are vulnerable to cyber attacks*. It is therefore urgent to react, and to rethink Risk Management in its entirety, by integrating cybersecurity and putting it at the heart of the digital security strategy. At Blue Soft, we have fundamentals in Cybersecurity, which we share with you here.
Manage cybersecurity risks in a comprehensive manner
The first thing to consider, and we emphasize this point, is that cybersecurity is not a "separate" element of risk management, but a subject that must be integrated into all the risks that a company faces. And it is a subject that requires holistic management, encompassing technology, governance and training.
Cybersecurity requires constant vigilance shared by all. But how to do it?
Creating a Cyber Security Culture (CCS)
We are convinced that security is something that needs to be deeply integrated into the organization's culture. It's not just a matter of raising awareness, it's a matter of getting employees really involved in a common sense of responsibility. Of course, training is necessary, but it is only one step, crucial of course, but incomplete in itself.
In order to develop this safety culture, the risks specific to the company, its business and the roles and responsibilities of employees must be identified. The better we know them, the better we can limit their scope and prepare corrective measures. Weak links must be identified and repaired.
According to ENISA, the concept of Cyber Security Culture (CSC) refers to people's knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values related to cybersecurity, and how all of these attributes are manifested in their behavior toward computer and digital technologies. CCS encompasses familiar disciplines such as cybersecurity awareness and information security benchmarks. But its scope and application is broader, including digital security considerations in the functions, habits and behaviors of personnel, encapsulating them in their daily activities.
There are several factors behind the emergence of CCS as a real need in organizations. For example, the way an organization behaves is highly dependent on the beliefs, values and actions shared by its staff, and this includes their attitude towards cybersecurity.
It is now recognized that cyber risk awareness campaigns alone are not enough to protect a company from increasingly sophisticated cyber attacks. There is also a strong belief that technical security measures do not exist in a "vacuum", and must be seamlessly integrated into business processes to avoid employees being torn between "fulfilling their mission" and "complying with the security policy".
The role of the Risk Management expert will be to support and inform Top Management's decisions on all these elements, while maintaining this global vision.
Cyber security requires iteration in your risk management
Another key point in enterprise risk management is iteration. It is true that before the digitalization of the company, things were relatively stable. Most of the time it was enough to lay the foundations, to write the rules and that was enough.
Obviously, this is no longer the case, and an IT security rule that is valid one day may be obsolete the next, or even require a complete overhaul of the information system management. In particular, it is necessary to permanently take into account the evolution of risk and its dynamics:
- Technological evolution: new sources of data, new types of threats
- The evolution of relations with customers and suppliers
- The multiplication of exchanges with subcontractors, data hosting, exchange platforms used, etc.
All these elements are in motion, the transmission of information takes forms and paths that are constantly changing. Is it difficult to keep track of all this? But it is absolutely essential!
On the same subject, you can also read our article on 5 risk management tips.
What methodology in practice?
If you are aware of the challenges of cybersecurity in your company, it is not always easy to implement it in practice. An external expertise is then precious, and constitutes a methodological contribution, knowledge and understanding of the risks, an external and objective eye to the whole process. Here is a summary of the main stages of a support.
Start with a risk assessment
It all starts with the construction of a baseline that will allow us to measure the risk and define the improvements to be made.
In this step, decision makers will be asked to decide whether to reduce, transfer, accept or eliminate the measured risks.
Establish a customized cybersecurity program
There is obviously no standard program, each company must define policies, practices, intervention plans, risk recording, etc. that are adapted to its situation, size, locations, exchanges, etc. ....
Establish effective protection
Tools must be in place to monitor the entire information system and detect intrusion attempts, according to a defined and adapted process.
Appoint a Chief Information Security Officer
There cannot be an unlimited number of referents, but a Chief Information Security Officer, who will ensure control, training, and respect of the process by all.
Train employees in cybersecurity
Of course, training remains essential: employees must be informed of the new protocols, and it will be necessary to define sensitive audiences who need additional modules, who will be reference relays and will be guarantors of the process, under the responsibility of the head of information security.
Businesses tend to believe that the rise of new digital technologies and information systems would only bring benefits. It turns out that criminal organizations share this view and see cyber as a wonderful opportunity to diversify their malicious actions. Thus, they have been attacking companies of all sizes, while gaining exponentially in skills, sophistication and professionalism. At the same time, they benefit from the inherent characteristics of the Internet, where the traceability and attribution of attacks remain extremely difficult.
Technology is essential, but it is not enough to prevent all threats from cyberspace... To be truly comprehensive and effective, a cybersecurity program must instill a genuine corporate culture of securityshared by everyone, at every level of the company, from managers to employees. Your organization's defense strategy, competitiveness and even survival depend on it.