The Strategic Path to Cyber Resiliency
Almost four-fifths of leading retail, wholesale, food, and beverage (RWFB) companies responding to Marsh and Microsoft’s 2019 Global Cyber Perception Survey view cyber threats among their top five risks. That’s good, because these organizations are especially vulnerable to cyber risks thanks to the customer data they retain and growing technology dependence.
Yet many are still applying a tactical approach to manage a peril that could severely damage their brands. As cyber threats proliferate, organizations must shift to a strategic approach, tackling cyber with the same rigor and discipline applied to other strategic risks. They need to limit the impact of incidents on operations during and right after an attack, accelerating their return to normal business by following these five steps.
Achieve Buy-In Across the Organization
Businesses must gather all stakeholders — including risk, finance, legal, IT/information security, and C-suite executives — around one table to create alignment around their critical cyber risks, discuss their potential impact, and make key decisions to proactively address them. And there should be continuous communication about these risks with boards of directors.
Focus on Planning
Once there is cross-organizational collaboration, you need to plan your cyber risk management strategy. Scenario-based quantification exercises should be part of this strategy to identify your greatest potential losses and help prioritize cyber risk mitigation investments. But only 11% of industry respondents said their organization uses a quantitative approach to measure cyber risk. And while it’s positive that almost half of industry respondents to our survey expect to be spending more in planning and preparatory measures over the next three years, this investment needs to be part of a planned strategic approach.
Invest in People
Determine whether you need to hire cybersecurity talent to help bolster cyber resilience efforts (technology as well as preparation and response), something that 38% of industry respondents said they plan to do in the next three years. Additionally, consider providing cyber training across all levels of the organization — including to senior leaders — to help your people identify threats and know how to react.
Set Your Risk Transfer Strategy
Many organizations purchase insurance without understanding what coverage they need. Instead, businesses should strive to understand the economic impact of cyber risk and then decide on a risk retention and transfer strategy. Risk transfer and risk mitigation are complementary — the former addressing severity and the latter, frequency — both playing an important role in effectively managing cyber risk.
Rehearse Your Response
Knowing what to do and who does what during a cyber incident is paramount. Rehearsals can help stakeholders understand their roles and identify areas for improvement. Companies should also know which vendors can help with investigations, response, and recovery.
To drive cyber risk management across their organizations, RWFB companies must build strong cybersecurity cultures that include senior ownership, the right resources, and a breadth of actions geared to build true cyber resilience. Although a strategic approach might require greater upfront investments, it can reduce downtime and financial impacts, allow for quicker recovery, and ultimately help protect your brand.