Cyber Risk Management – From Security to Resilience

Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.

This report highlights three strategic imperatives to strengthen cyber resilience:

  • Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
  • Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
  • Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.

It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.

Cyber Risk: A Top Concern

Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.

Rapid Innovation

The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.

Pervasive, Sophisticated Technologies

A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.

Devious, Organized Threat Actors

The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.

Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.

After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.

Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.

MMC1

Data Sharing Economies

Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.

With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.

According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.

Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.

Complications That Impact Cyber Resilience

In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.

Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.

Underlying Trends Impose Additional Layers of Fiduciary Responsibilities

Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.

Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.

Re-Thinking a Cyber Resilient Culture

To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.

To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.

Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.

How To Line Up Your Defense

Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.

MMC2

Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.

Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.

Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.

Understand Cyber Risks from a Business Perspective

Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.

A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.

A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.

MMC3

After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.

For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.

MMC4

After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.

Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.

MMC5

The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.

MMC6

With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.

Click here to access MMC-FireEye’s Report

Moving from best to better and better – Business practice redesign is an untapped opportunity

Under mounting performance pressure, many corporate leaders are looking to business process reengineering to improve performance, and in many ways that makes sense after all, processes give shape to an organization and are often useful for coordinating routine flows across large organizations. The routine work of a company should be done as efficiently as possible, which increasingly means incorporating automation.

But organizations may be missing a much greater opportunity to improve performance.

Here’s the thing: Much of the work of many organizations today—at least the work that typically offers the potential for differentiation—is no longer routine or even predictable. When conditions and requirements shift constantly, processes fail. While process optimization can still certainly help

  • reduce costs
  • and streamline operations,

leaders should consider a different kind of organizational rethinking for significant performance improvement. And in an environment of accelerating technological advances and rapid and unpredictable change, constant performance improvement is a must. Competition can come from anywhere—doing well relative to the competitors on your radar isn’t enough. Many barriers to competition are falling, and many boundaries, between industries and between markets, are blurring.

  • Consumers have more access to information and alternatives than ever, along with a coincident increase in expectations.
  • Workers have more access to information and alternatives—and increased expectations.

At the same time, many employees, in all kinds of environments, face increasing pressure to reach higher levels of individual performance. The useful life of many skills is in decline, creating a constant pressure to learn fast and reskill.

Many companies have struggled to effectively respond to these pressures since long before the Internet of Things and cognitive technologies added new layers of complexity. The average return on assets for US companies has declined for the past several decades, and companies find themselves displaced from market leadership positions more often than they used to. While the price-performance improvement in the digital infrastructure has increased exponentially, most companies are still capturing only a small fraction of the value that ought to be available through the technologies built on this infrastructure. Existing approaches to performance improvement appear to be falling short.

It begs the question: In a world of digital transformation and constant change, what does performance improvement mean? Many companies suffer from at least one of three broad problems that can misdirect their focus:

  1. Thinking of performance improvement too modestly. Leaders often think of performance advances as discrete, one-time jumps from A to B, or even a series of jumps to C and D. The initiatives that typically generate these bumps are similarly construed as pre-defined, one-time changes rather than as unbounded efforts that have the potential to generate more and more improvement. As we discuss in more detail, not only do most companies need to continually improve their performance— those that don’t start accelerating may fall further and further behind and become increasingly marginalized. Accelerating improvement, then, should be a goal of operations, not just one-off initiatives.
  2. Thinking of performance improvement too narrowly, focused only on costs. Process dominated much of performance improvement efforts for the past several decades, focusing largely on the denominator of the financial ratio of revenues to costs. But costs can be cut only so far, and technology-based process efficiencies can be quickly competed away, especially at a time when the changing environment and shifting customer expectations are making many standardized processes quickly obsolete. Further reductions can become harder to achieve and have less impact. The relevant performance might be more about an organization’s ability to create significant new value. Workers across an organization regularly encounter new needs, new tools for meeting needs, and opportunities to identify new ways of delivering more value and impact in multiple dimensions, including helping other parts of the organization generate more value. The potential for value creation isn’t confined to certain roles or functions, and is bounded primarily by an organization’s ability to create new knowledge and creatively address new problems. Focusing on new value creation may be the key to getting on a trajectory of accelerating performance improvement. Doing so would require an organization to move beyond efficiency and standardization and begin focusing on cultivating the behaviors—such as experimentation and reflection to make sense of what has been learned—associated with new value creation.
  3. Thinking of performance improvement at the wrong level. Most organizations manage performance where they measure it—which is to say where they have data: broadly, for the department and organization, and narrowly, for the individual. Both levels can miss where work, especially value-creating work, increasingly gets done: in groups. As a result, organizations can miss the opportunity to shape how work actually gets done. Focusing on performance where it matters most to the organization’s work might be a key to having a significant impact on the performance that matters.

The imperative to act seems simple: Today’s environment seems to offer no reprieve, no stabilization that gives us a chance to catch our breath and say, “OK, now we’ve got it figured out.” The methods and processes that led organizations to great success in the past seem to no longer be working. For sustained performance improvement, companies may need to change their focus and look in new directions.

Deloitte 1

Deloitte 2

Deloitte 3

Click here to access Deloitte’s detailed study

The Digital Business Imperative

Don’t Build A Digital Strategy; Digitize Your Business Strategy

Digital fundamentally changes your relationship with your customers. You can’t address this change with a bolt-on digital strategy that adds an app here or a site there. To remain competitive, you must re-engineer how your business creates value for your customers in the digital age.

Digital Has Changed Your Markets
Your customers aren’t who they used to be — they haven’t been for quite some time now. Digital touchpoints permeate every aspect of your customers’ lives — how they watch TV on Netflix, how they research new products on their smartphone, how they check their balance on PayPal, or how they review their stay on Airbnb. Business buyers expect automated service, tap communities for insights, and want services with apps attached; they’re even more digital than consumers are. Digital has transformed the market context for every business, and the pace of change is accelerating.

Digital Has Changed The Way That You Operate
Digital has transformed more than your channels and customers. It also disrupts you from within, changing the way that you do business. Digital not only accelerates the pace of change but also brings new opportunities for firms that can embrace the technology fast enough. It speeds time-to-market, reduces costs, and unlocks new revenue streams. There’s a reason why manufacturers ABB, Schneider Electric, and Siemens spent a combined €8 billion on acquiring software assets to help clients design, manage, and optimize complex industrial operations like power grids more effectively.

Use Digital To Help Customers Get To The Outcomes That They Desire

Re-envision your business not as a set of products and services but as part of the personal value ecosystems that your customers assemble according to their needs and desires. Learn to increase value by expanding your company’s role in your customers’ personal value ecosystems.

Digital Operational Excellence Increases Business Agility

Digital business isn’t just about customer experience — it’s also a way to drive operational agility. Digital operations can increase speed-to-market, make employees more productive, promote leaner processes, and maximize asset utilization.

Digital Dimensions

 

Click here to access Forresters’ detailed study