Edition: International | Greek

Home » Business

4 ways to incorporate cyber resilience in your business

Effective cybersecurity has become a shared responsibility that demands teamwork and an unwavering commitment to internal and external collaboration

By: EBR - Posted: Wednesday, July 27, 2022

"Cybersecurity is a major concern for all organizations and collaboration is key to effectively tackle this threat".
"Cybersecurity is a major concern for all organizations and collaboration is key to effectively tackle this threat".

by Joe Nocera*

One goal, one team.

Effective cybersecurity has become a shared responsibility that demands teamwork and an unwavering commitment to internal and external collaboration.

Today, threat actors are targeting organizations and entire industries with increasingly effective cyberattacks. Cybersecurity failure has become a leading threat, according to the World Economic Forum’s Global Risk Report 2022. Businesses agree: 70% of board directors view cybersecurity as a strategic enterprise risk, according to a survey conducted by the National Association of Corporate Directors (NACD).

The ascendant trajectory of cybercrime shows no sign of decline. In fact, 60% of executives forecast that cybercrime will continue to surge in 2022. In particular, respondents expect more attacks on cloud services, ransomware intrusions, and compromises of critical infrastructure. Threat actors are also exploiting dangerous new software vulnerabilities such as the Log4j flaw, which can enable them to remotely execute code on systems and networks. There is also growing unease that geopolitical conflict will likely result in further cyberattacks on critical infrastructure.

In a report published by the World Economic Forum, PwC, the NACD, and the Internet Security Alliance (ISA), we identified six principles that can support board directors in governing cyber-risks:

-Cybersecurity is a strategic business enabler
-Understand the economic drivers and impact of cyber-risk
-Align cyber-risk management with business needs
-Ensure organizational design supports cybersecurity
-Incorporate cybersecurity expertise into board governance
-Encourage systemic resilience and collaboration

In this article, we dive into the sixth principle: encourage systemic resilience and collaboration. Systemic risks require systemic resilience. This requires a decisive dedication to collective effort — and a great deal of individual resilience.

The good news? There are “power moves” you can incorporate to start building resilience in your organization.

Become a cybersecurity team player

Effective cybersecurity comes from the top. The CEO, board, and other senior leaders should champion a cybersecurity culture that fosters collaboration across the company, the industry and with public and private stakeholders.

Creating a culture of security will require everyone’s involvement — the board, C-suite, chief information security officers (CISOs), line of business leaders, and individual employees. You will also need to partner with supply chains, contractors, and other third parties.

Given the complexity and stealth of today’s cyber threats, it is likely that boards will need a bit of cybersecurity tutoring. CISOs may need to step in to help senior executives understand threats, potential business impacts and the specific role each executive can play in keeping the company secure.

Awareness doesn’t stop at the C-suite, however. Cybersecurity education should cascade down to every employee and include training, upskilling, and career advancement opportunities.

Educating the board has become urgent thanks to new regulations requiring cyber disclosures. In the US, for example, the Securities and Exchange Commission (SEC) has proposed rules for disclosing material cyber incidents and practices in cyber governance, strategy, and risk management.

The rules may require public companies to disclose details of the board of directors’ oversight of cybersecurity risk and cybersecurity expertise – if any. Disclosures include the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on this topic. A new law requires entities in critical infrastructures to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA).

How to make the move

-Allocate more time to security discussions in board or subcommittee meetings
-Provide training for board members to become more cyber-savvy
-Use business language to frame discussions of cyberthreats
-Create plans for effective collaboration
-Confirm performance measures for cybersecurity are aligned for all business executives and not just the CISO

Conduct tabletop exercises and update Business Impact Analysis (BIA)

Security training for employees is essential. But resilience calls for more.

Tabletop exercises, which use simulated attacks to illustrate threat response and decision-making processes, can be an effective way for board members to practice the decision-making required in a cyber crisis. Tabletop exercises can prepare business leaders to confidently — and quickly — take appropriate action when real threats are detected. They can illuminate gaps or weaknesses in current response plans.

Similarly, a business impact analysis (BIA) can help organizations develop more targeted and effective strategies for incident response and business continuity. BIAs prioritize business systems, processes, and interdependencies to focus defence, response, and recovery strategies on the issues that matter most to the business.

How to make the move

-Revisit and update the company’s BIA annually or whenever a major business change occurs
-Leverage the BIA to inform Cyber Resiliency Planning
-Conduct tabletop exercises throughout the year at different levels of the organization (technical, business, C-suite and boards) using different threat scenarios
-Consider including critical third parties like outside counsel and law enforcement in some tabletops

Build relationships with info-sharing groups, law enforcement, and government agencies

If cybercriminals share information on attack techniques and tools — and they do — then why shouldn’t you? Sharing intelligence about cyber threats and responses may be critical to staying ahead of cybercriminals. Companies cannot, single handedly, defend themselves against attacks by powerful hackers.

Critical infrastructure providers, for example, require proactive cooperation and collaboration among governments, cybersecurity groups, industry peers, and organizations to combat geopolitical and nation-state threats.

The practice of cyber-related information-sharing is growing around the world. Today, 84% of global organizations say they participate in public-private information-sharing. Organizations fostering such a culture include the World Economic Forum Centre for Cybersecurity, Interpol, the US CISA, the UK National Cyber Security Centre, and the Open Data Center, where there is global collaboration of over 1,500 governments and organizations.

You should build robust relationships with local, national and global government and law enforcement agencies to promote intelligence sharing. In addition, companies can build ties with nonprofit cybersecurity organizations such as Information Sharing and Analysis Centers (ISACs), some of which offer 24/7 threat warnings, incident reporting capabilities, and networking opportunities.

Sharing requires trust. Organizations are often reluctant to disclose incidents and responses to industry peers and government entities. To create a collective consciousness of cybersecurity, attitudes must change. While private-public collaboration is commonplace — 45% of organizations do so — there is often a reluctance to divulge breached information. That mindset must change.

How to make the move

-Use all available resources, including government agencies, to identify potential threats
-Participate in collaborative groups such as the European Union Agency for Network and Information Security (ENISA), Information Systems Security Association (ISSA International), the Cloud Security Alliance, the Internet Security Alliance, and WiCyS Women in Cybersecurity
-Join information-sharing groups such as the Information Security Forum, the Anti-Phishing Working Group, and ISACs
-Critical infrastructure providers can join organizations such as the European Programme for Critical Infrastructure protection, the Task Force on Critical Infrastructure Protection, and the DHS Cyber Information Sharing and Collaboration Program (CISCP)
-Proactively build relationships with law enforcement and government agencies prior to a breach occurring

Collaborate on collective cybersecurity

In today’s hyper-connected digital world, cybersecurity is no longer the responsibility of a singular organization or single executive.

Cybersecurity is the ultimate team sport and it is crucial for businesses, industries, and governments to unite to defend against global threat actors.

*Cyber and Privacy Innovation Institute Leader, PwC US
**first published in: www.weforum.org


EU Actually

Is Putin flexing his (energy) muscles?

N. Peter KramerBy: N. Peter Kramer

The fact that Russia is banning the export of diesel and gasoline is causing rising prices for European car drivers further on the already tight global fuel market

View 04/2021 2021 Digital edition


Current Issue

04/2021 2021

View past issues
Digital edition


Keep channels open with Russia, say five EU states

Keep channels open with Russia, say five EU states

Foreign ministers of five central European states met in Vienna and urged that lines of communication with Russia be kept open through the OSCE to facilitate a path to peace in Ukraine


Greece’s investment grade: The ongoing journey of a remarkable recovery

Greece’s investment grade: The ongoing journey of a remarkable recovery

It was back in 2010 when Greece managed to succeed in becoming the first euro-zone member to be downgraded to junk by credit rating agencies after decades of lack of fiscal discipline


Powered by Investing.com
All contents © Copyright EMG Strategic Consulting Ltd. 1997-2023. All Rights Reserved   |   Home Page  |   Disclaimer  |   Website by Theratron