Advancing Cyber Risk Management: From Security to Resilience
Since 2017, risk experts have consistently ranked large-scale cyber-attacks and data fraud among the top five mostly likely risks around the world. Despite growing anxieties about cyber threats, cyber resilience strategies and investments continue to lag.
Globally, the time taken to discover a data breach has considerably reduced since 2017, but organizations in the Asia-Pacific region still took four months longer than the global median. Internet users are growing 10 times faster than global population, exponentially increasing the surface area of attack. For example, in 2018, the total cost of cyber-crimes grew by a third – to $600 billion – as compared to 2016, but investments in cybersecurity only managed a 10-percent increase over the same period.
These trends point to a growing imperative and urgency for cyber resilience in the digital age today.
Rapidly evolving threats and infiltration techniques have rendered traditional cyber defence strategies insufficient and ineffective, while the speed of change amplified by the digital transformation cannot be addressed by conventional means. Globally, laws are changing to keep pace as cybercrime evolves, revealing additional layers of fiduciary responsibilities that are necessary for organizations to assume.
As a result, today’s business models should redefine a resilient culture in the workplace as a fundamental strategy, while building cyber resilience from an end-to-end risk management perspective.
This report highlights three strategic imperatives to strengthen cyber resilience:
- Understand (know your threats) – Identifying organization- and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
- Measure (know yourself) – Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
- Manage (know what you can do) – Control and mitigate cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.
It is inefficient and impractical to expect organizations to be ahead of every attack, but organizations should at least be on par with the fast evolution of cyber threats while ensuring compliance with changing laws and regulations.
"Cyber attacks may be inevitable, but system compromises and impactful data breaches do not have to be."
An end-to-end risk management mindset is the essential element that sets resilient organizations apart from the rest in mitigating cyber risks, minimizing damage, and recovering swiftly from any breach incidents.