Cyber-threats are a real and growing business risk that can cost a company millions of baht per year and significantly damage its reputation and brand.
Recognising this, many boards of directors are starting to ask executive teams just how vulnerable their company is to cyber-crime and cyber-espionage, and what the company is doing about it.
Unfortunately, if your company is like many, executives may have a hard time giving you ready answers to those questions. Until a company reaches a certain level of sophistication around cyber-threat risk, it simply may not have the language, metrics or technology for boards and executives to explore the issue in great depth. Fortunately, there’s a way out of the catch-22.
With likelihood, impact and vulnerability around cyber-threat risk potentially high – and with the US Securities and Exchange Commission, in effect, now urging companies to consider disclosing cyber-incidents – boards of directors have good reason to take their questions beyond “Could it happen to us?” to “How likely is it to happen to us, and what are we doing about it?”
More formally, the central issues for boards to consider are exposure and effectiveness: “What is our company’s level of exposure to cyber-threat risk? And how effective is it at keeping that exposure to within acceptable limits?”
The frequent challenge, however, is that couching the questions in these high-level terms may not always elicit useful answers. That’s because, unless a company is already quite sophisticated in its cyber-threat risk-management practices, it may not yet have the risk-management infrastructure and/or governance elements in place to support a meaningful conversion.
For instance, leaders may not have agreed on risk definitions, risk tolerances or metrics specific to cyber-threat risk. Or the company might lack the technology tools to effectively collect and report cyber-threat-related information.
Fortunately, boards don’t need to be completely in the dark even at companies that are still ramping up their cyber-threat risk-management capabilities.
If your organisation isn’t yet in a position to discuss exposure and effectiveness as such, we recommend, as a first step, asking your executive team the following four questions about specific information security practices that we believe are essential to effective cyber-threat risk management:
_ How do we track what digital information is leaving our organisation and where that information is going?
_ How do we know who’s really logging into our network, and from where?
_ How do we control what software is running on our devices?
_ How do we limit the information we voluntarily make available to a cyber-adversary?
These measures aren’t all there is to fighting cyber-threats, but they do represent core elements of an effective cyber-defence. This, in turn, makes your organisation’s practices in these areas a reasonable proxy for the effectiveness of its cyber-threat risk-management practices overall.
By applying a risk-management maturity perspective to how these issues are addressed, you can gain valuable insights into your organisation’s cyber-risk management strengths and weaknesses – as well as how it might be able to improve.
Parichart Jiravachara is Enterprise Risk Services partner at Deloitte Thailand.