IoD Norfolk Ambassador Nicky Lawlor discusses the importance of cyber resilience for all businesses
Let'’s start with a definition. This one is from Wikipedia: “Cyber resilience refers to an entity’s ability to continuously deliver the intended outcome despite adverse cyber events.”
Now let’s apply this to corporates and ask: What do we mean by “intended outcome”? Most would agree that the intended outcome for any organisation is ultimately the creation of value for shareholders, and the c-suite is tasked with leading the organisation to achieve this objective.
Familiar factors driving value creation include operational capability, profit, cash and reputation. Cyber, however, adds a whole new dimension, going beyond simple data protection and invading the very core of the organisation.
While digital transformation across all industries is conferring competitive advantage, exposure to attacks is growing. The cyber risk landscape is rapidly evolving and the potential economic consequence to any organisation should not be underestimated. A cyber incident can lead to high profile financial losses, damage to client and investor confidence and be compounded by widespread and far-reaching media coverage leading to reputational damage.
But your organisation isn’t going to be hit, right? Wrong! You don’t even have to be the intended target to be affected. Collateral damage is the most frequent and widespread effect of cyber malware.
Unfortunately, cyber security can be expensive, and no security solution is ever 100% effective.
So, what to do? An effective cyber resilience strategy requires a focussed allocation of resources in line with identified business risks. Strategic business planning determines the way forward for an organisation and identifies the key business assets required to accomplish its goals. Once these critical assets (or crown jewels) are identified, there is a tricky job to be done to prioritise the allocation of resources to protect them. Making that decision about the right level of investment to achieve sufficient cyber resilience, much like other forms of business resilience, requires in the first case a good handle on what and where your crown jewels are.
Let’s take the example of a manufacturer. If their fully automated warehouse suffers a breach and is compromised, they may suffer delays and disruption to distribution. If goods are not delivered, invoices cannot be paid and the financial implications (on profit and cash) are obvious. Additionally, reputation will be damaged and may affect future business. By running though scenarios on different aspects of the business – e.g. production, R&D, clients, employees, or marketing – executives can build a picture of what needs to be protected and to what level.
The c-suite are the risk owners but the mitigation process and associated resource allocation is often led by technical personnel. Boards need to communicate on a regular basis with technical staff on what the key objectives and assets are so that they are wisely allocating their resources. Technical staff enable the overall business strategy but they do not drive it. Cyber defence is a technical process but cyber is a business risk.
Any cyber resilience strategy is business risk management and it is crucial that the c-suite is at the core of the conversation. Demonstrating a high level of cyber resilience can be a differentiator in a business world that is more and more connected.
The NCSC offers practical advice in the form of their Cyber Essentials and Cyber Essentials Plus frameworks. Furthermore, they have recently released a comprehensive Board Toolkit to encourage the conversation between the c-suite and technical experts.
So, who is leading on your cyber resilience strategy?
Help protect your business against data breaches, viruses and other attacks from hackers. Hiscox can help minimise any loss and possible damage to your business and its reputation, IoD members receive 5% discount for the lifetime of your policy.
0800 280 0354
Find out more