When the topic of cyber risk comes up, many people think of technology-based solutions. More importantly, however, consideration should be given to the role employees play in protecting against cyber threats.
This employee-focused approach must start with executives. That’s because lack of executive buy-in and board oversight could cause a company to miss the necessary focus and fail to make the required investment, says Ruby Sharma, a Principal at Ernst & Young LLP and with the EY Center for Board Matters, in a Zurich Insurance article that ran on Bloomberg Business. It’s the board’s responsibility to challenge management to ensure management is appropriately allocating resources to address cyber risks that are commensurate with the risk levels. Given that technology transcends and impacts all departments and corporate structures, boards should address whether management’s cyber-security plan has a cross-functional team involving business leaders of all key departments, says Sharma.
That type of enterprise-wide strategy for cyber-risk management also helps protect against another risk: placing the burden of cyber-risk management solely on technical experts, which is “a pitfall,” says John Scott, Chief Risk Officer, Global Corporate, Zurich. It’s important to understand that this is about people and behaviors, not just technology, he says.
“It’s being driven by a number of trends including the Internet of Everything and BYOD [bring your own device], which create more entry points that are vulnerable to attack; and cloud computing, where server farms are often co-located or connected in a way that creates systemic risk,” Scott says in the article. “A successful cyberattack on a key cloud provider could take down many businesses in many locations. All of that together changes the nature of risk, and is as good a reason as you need to realize that the cyber-risk management discussion needs to start at the board level.”
One of the benefits from an enterprise approach to managing cyber risks is it spreads the net of inclusion to embrace new ideas that might otherwise not be in the picture, says Tim Stapleton, Global Underwriting Manager, Professional & Management Liability, Zurich, and that helps reinforce the priority throughout the company.
“You need a number of functions involved in the process, and when that happens, different talent starts to take notice, from the CEO all the way down to the frontline employee,” says Stapleton. “It’s a combination of large and small taking an active role in working on behalf of corporate information security, not just the IT portion. It takes a broader approach to help reinforce the priority throughout a company.”
The weakest link is often employees and a lack of awareness of cyber risk. Consequently, it is vital to create awareness that begins with basic data privacy and security: identifying data owners, classifying data with the appropriate security classification and then treating that data with the appropriate level of security, the Zurich article notes. Furthermore, all employees must be aware of the different approaches cyber attackers employ—such as phishing attacks that dupe employees to download malware—and know what do to avoid systems being compromised.
Encouraging employees to help at an individual level can help people see firsthand the role they can play in managing cyber risks, says Zurich’s Jérôme Gossé, Head of Security & Privacy, Global Corporate in EMEA. They need to know they should never assume that things that don’t fall under their normal remit are someone else’s responsibility, because maybe everyone else thinks the same thing, he says. And in those cases, it often falls to someone who isn’t qualified to deal with all of the issues surrounding data privacy. On the other hand, if an employee follows up to see whose responsibility it is, and discovers no one is covering the issue, then they’ve identified a cyber risk and can alert the right people, he says.
What are your thoughts on cyber-risk management? Are all employees at your company engaged?