- 93 percent of large organizations were the target of cyber attacks,
- 87 percent of small businesses experienced a security breach,
- 81 percent of respondents reported that senior management had not been able to put in place effective security and
- 84 percent of large businesses reported staff-related cyber breaches (the highest figure ever recorded).
With increasing cybercrime and the growing demands on organizations to comply with new legislative and regulatory requirements, managing enterprise risk and the processes around critical policies and procedures is essential to mitigate liability and ensure best practices. While the benefits of using Internet applications and technologies are numerous and almost immeasurable, businesses should have a strategy in place to address the exposure to potential risks posed by cybersecurity.
Cybersecurity covers a range of risks, such as loss, theft and/or manipulation of sensitive or private data and the introduction of viruses and computer fraud. Some may be malicious, but some may be caused by human error.
There are two critical stages in reducing an enterprises exposure to cybersecurity:
Step One: Identify an independent, trusted cybersecurity specialist to perform an audit. Once the report has been received and digested, a strategy needs to be put in place to ensure all the risks identified are professionally managed to protect the business from reputational damage.
Step Two: Implement a risk management solution to ensure that risks are identified and that:
- they are centrally recorded,
- their impact and likelihood are calculated,
- controls are put in place and
- an audit trail is available to report on any controls that remain outstanding.
The resultant controls from a risk management process typically fall into two categories: the implementation of a software solution (such as a firewall) to address specific threats and the creation of policies and procedures for internal purposes.
While the creation of well-drafted policies and procedures is a cornerstone of a strong cybersecurity program, if those policies and procedures are not professionally managed and communicated to all employees, they are almost worthless. Posting critical policies on an intranet in the hope that they are read by employees is no longer sufficient to ensure employees are aware of the threats posed by cybercrime. Businesses need to be able to demonstrate that all employees have received, read and understood the policies and confirmed their agreement to abide by them.
Risk and policy management software provide a best practice framework to complement and support a cybersecurity program. Together, they help both to reduce the potential for financial loss and resultant reputational damage and to demonstrate best practices to senior management, the Board, auditors, and, if applicable, the regulators.