While cybersecurity is already a major concern for businesses of all shapes and sizes, it can become even more problematic if it’s solved for in isolation, and not considered within the context of enterprise risk management.
The Problem With Cybersecurity
Cyber incidents are undoubtedly a big risk for companies today. If you read any “Top Risks for Businesses” report, cyber incidents will more than likely make an appearance. For instance, according to the Allianz Risk Barometer Report for 2018, 40 percent of survey respondents cited cyber incidents as their top risk—making it the second most concerning risk on the list, right behind business continuity. And this is just one well-known industry report. You can find similar results in the report, Executive perspectives on top risks 2018, co-published by Protiviti and North Carolina State University’s ERM Initiative, and the World Economic Forum’s 2018 annual Global Risks Perception Survey. Cybersecurity is continually highlighted because cyber attacks and data breaches are increasing, right along with the costs associated with such events. In fact, cyber incidents targeting businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017, according to the Cyber Incident and Breach Trends Report, released in January by Online Trust Alliance. The estimated costs associated with cyber incidents varies widely, but a 2017 Lloyds of London report, co-authored with risk-modeling firm Cyence, estimates a major global cyber attack could trigger $53 billion dollars in economic losses. As it currently stands, the Equifax Inc. breach, which compromised 147 million customers’ personal data in 2017, could be the most expensive breach in history. The credit reporting bureau posted $164 million in pre-tax costs during the second half of 2017, and costs related to the breach are supposed to increase by another $275 million this year—putting total costs at $439 million, according to an Equifax earnings call in March.
Cybersecurity is A problem, Not THE Problem
Based on the increasing frequency and heightened costs of cyber incidents, they certainly seem to be a massive problem. And they are. They just aren’t the only problem. Just like all the emerging risks that came before cyber, and all the emerging risks that will come after cyber, cyber incidents are not isolated. Therefore, if you attempt to solve cyber risks in a vacuum, you will actually expose your organization to a whole host of other risks. This is why enterprise risk management as a part of your integrated risk management approach is so important. Integrated Risk Management requires an organization to look across its many departments and its many business challenges, and understand how they all connect. It’s not just a matter of finding all the risks across an organization and then solving for them independently. Instead, it’s really digging in to see how particular risks and particular solutions could affect the next risk, the next department down the hall, or the next business process. Even on its own, cybersecurity is a complex problem—driven by multiple other challenges like increasing numbers of adversaries wanting to penetrate any organization’s network; application overload within organizations; and rampant IT personnel shortages. Because of this complexity, the National Institute on Standards and Technology developed a cybersecurity framework organizations can voluntarily adopt, which consists of standards, guidelines, and best practices to manage cybersecurity-related risk. It’s intended to protect businesses and make them more resilient in the wake of a cyber incident. However, if weaving cybersecurity into your ERM or integrated risk management program sounds like a head-spinning exercise, or if adopting the NIST cybersecurity framework sounds equally daunting, it doesn’t have to be that way. Investing in the right risk management technology can help.
Integrated Risk Management is the Answer
First and foremost, the right risk management technology will serve as an integrated risk management solution that spans across a variety of departments and business challenges—aiming to be a single source of truth across the enterprise. Cloud-based integrated risk management technology, in particular, can surface your relevant risk information—from wherever it’s hiding in your organization—analyze it, connect it with other internal and external data, and normalize it securely in the cloud. All this will allow you to easily answer critical business questions and focus your attention where it’s most needed—ultimately helping your organization to execute on ERM. But beyond helping you meet more lofty ERM goals, such technology can also help with the more focused effort to reduce the number of digital applications your organization uses, which can actually improve security. In fact, integrated risk management technology can oftentimes replace the following solutions (and more) that are singular offerings from some vendors:
- Business Intelligence Analytics
- Enterprise Risk Management Systems
- Internal and Operational Audit Systems
- Health and Safety Management Systems
- Vendor Risk Management Systems
- Business Continuity Systems
Less time spent managing multiple applications can create tremendous efficiencies for the IT department, and allow more time devoted to cybersecurity. Plus, fewer applications likely means less risk of one or a multitude of those applications causing a breach or falling out of compliance. And, speaking of compliance, the right risk management technology can also replace Compliance and Regulatory Management Systems—helping you to conform with all the requirements you are mandated to meet or have voluntarily instituted, even those related to cybersecurity. The technology allows for consistent oversight, automatic updating and extensive reporting so you can identify and monitor the full range of these requirements.
Despite the benefit of integrated risk management technology’s ability to ease compliance woes—whether for cybersecurity or anything else, it’s important to remember that is only the tip of the iceberg in terms of what the technology can do. It’s just a small piece of the puzzle … just like cyber risks are a small piece of the risk management puzzle. As organizations aim to get out ahead of cyber risks and incidents, it’s important they don’t fall behind in assessing and addressing other emerging risks. With the right mindset, and the right technology in place, it’s easier to take the holistic approach to risk and effectively address multiple risks at one time for better security.