This was the topic ABM Risk Partnership discussed at the Business Resilience, Data protection, Privacy and Governance webinar with leading law firm Clyde & Co and technology firm RXP Group.
Our premise is that cyber risks need to be treated as any other risk and not be kept confined to the IT department. Some major incidents have highlighted the fact that the focus on protecting many traditional assets needs to include cyber risks. For example:
Toll Group – was forced to shut down its systems and revert to manual processes for 6 weeks in early 2020 and subsequently suffered a new ransomware attack causing disruption and data loss.
Maersk – who handle 20% of world trade, were hit by NotPetya malware in 2017 and in just an hour all its business units had been affected. It is thought that this was a State-sponsored cyber attack. Worryingly, Maersk and many other business were innocent victims of this attack.
Saudi Aramco – one of the most valuable companies on earth suffered a phishing attack that led to 35,000 computers being destroyed and the company in disarray. They had focused more on risks in their industrial control systems that helped get oil out of the ground rather than including their IT systems.
A further and arguably more worrying event, was a cyber-attack on a petrochemical plant in Saudi Arabia. This was another attack likely to be State-sponsored and attempted to sabotage operations and trigger an explosion. Fortunately the attackers failed through an error in their code.
The key message is for firms to BE PREPARED. Can you answer the following questions?:
1. can you defend your network from attack?
2. can you respond when your network defences are breached?
3. have you tested your manual / work-around processes in the event you are breached?
4. have you engaged key suppliers and clients to know how and if they will be a part of the response?
5. have you determined how you will respond to a ransomware demand?
The best approach is to use proven risk methodologies, and to think through possible scenarios before they occur. One approach we use for this process is the ‘bow-tie’ method, a visual tool that helps stakeholders understand the threats, consequences and controls for the risk being evaluated.
We also encourage organisations to critically review their risk management program to ensure it is fit for purpose, bespoke to the organisation, easy to use and understand and readily available for the business users.
We usually see this articulated in a document called the Risk Management Framework - however often organisations make this so dense and thick with information that it is practically unusable by the business.
Our view is that the Framework is just that - a series of documents and tools made available to the business units in order to assess the threats and opportunities that continuously present to a business. Some of the key elements of an effective Framework would include:
Risk management policy
Risk appetite statement
These are underpinned by solid risk governance and risk management competency and training.
If you would like a copy of the presentation from the webinar, please contact us. Also, ABM Risk Partnership offers a free 2-hour consultation to discuss your specific circumstances.