Making Sense Of Cyber-Exposures

So what measures should businesses be taking?

Well, in many respects, the types of losses that we are seeing today are no different than those experienced in the non-digital world. It is just the causation that is different. So the key principles of digital risk management are much the same–risk assessment and mitigation, backed-up by insurance.

Getting the right insurance is the last step of the process. (See related article, page 26). Only after developing a risk management program that ensures that digital losses are understood and proactively managed throughout the organization will a firm be able to achieve digital insurability. Many shareholders and investors are now viewing the presence of digital risk insurance as a type of due diligence, in that in order to qualify for it, the business must be operating securely.

Contrary to popular belief, putting together a reliable and comprehensive digital risk management strategy is not prohibitively expensive. In fact, it should reduce the total cost of the risk. And it can be done in 6 simple steps.

Step 1: Assemble your team.

Business owners must act quickly to understand how and where they are exposed. This means enlisting the support of senior mangers throughout the business and working together to identify areas of vulnerability and severity.

The digital risk management team will drive and own the company-wide digital risk management plan. The team should have cross-functional representation with a mix of senior executives from the information technology department, finance and/or risk management, human resources, operations, legal, as well as customer services. It may be a mix of internal staff and third party consultants, as appropriate.

Working together, the team will scope out a clear picture of the types of exposures your company is faced with based on your technology use and dependency. It will also begin to debate the likely impact of the different types of digital loss or damage, considering each business area and documenting the results.

Step 2: Risk assessment or quantifying the exposure.

Risk assessment is the foundation of any digital risk management program, for without knowing where exposures lie, it is almost impossible to implement the correct countermeasures. A risk assessment will seek out organizational vulnerabilities to give company executives a complete and impartial overview of the security challenges they face and make specific recommendations as to the policies, training and tools necessary to protect their assets.

Experts will not only look at crimes and incidents you have experienced in recent years, but also at those experienced by others in similar market sectors, in order to understand the types of risks that you may be exposed to.

Part of the role of the assessment is to look forward as well as at "where we are now." What might be a secure system today will not be next week. So by understanding "where are we going," or how the systems will be used by the company in the future, weaknesses can be more readily predicted and eliminated before they are exploited.

Most companies enlist outside support in order to conduct an impartial risk assessment, although more and more are beginning to use specific software tools that enable senior managers to conduct their own assessment.

The results will help determine the threats that could appear, their likely financial impact, and what the company should and could do to manage them, splitting the results into "requirements" and "recommendations."

The final phase of the risk assessment process will be to make a cost/benefit analysis of how the company will manage its risks and to translate the results into a digital risk management plan.

The goal of risk assessment is as much to gauge the cost of mitigation as it is to quantify the risks themselves. Above all, this is a commercial exercise with the ultimate goal being to achieve a level of security that positively impacts the bottom line.

Step 3: Implement effective security policies.

A companys digital risk policies provide the framework within which to define the controls that need to exist within the organization, based on the levels of risk that it is prepared to accept. They provide guidance on how the technology system should be configured, the degree of onus on employees to act responsibly, the level of insurance coverage required, and the steps that should occur should a security breach or loss occur.

The security breaches we read about tend to fuel the popular misconception that the major threat to information security comes from external hackers. Electronic information is at risk for a whole variety of reasons: natural disasters, failure of equipment and services, and accidental as well as malicious acts by human beings. Electronic information, however, is most at risk from a companys own employees, and establishing policies that address this and other standards are critical.

The following policies should exist within all organizations: acceptable use; human resources; storage; access; third-party policies; disaster recovery; and training.

Acceptable use policies set forth clear guidelines for employees as to their responsibilities.

Human resource polices will include policies for employee monitoring, screening of new employees and procedures regarding exiting staff as well as temporary employees.

Through its storage policies, a company attempts to ensure the physical security of hardware and software. While access policies will set forth access requirements for each type of user on the system, training policies will ensure that staff involved with administering the systems have the right skills.

Third-party policies will specify guidelines about the sharing of information with partners and suppliers.

Finally, disaster recovery policies will specify the steps that need to be taken should a loss occur.

The goal of these policies is to make everyone recognize that they have responsibility for digital risk management. The development of these policies is by no means as onerous as it may sound and there are a number of excellent industry-led international standards (e.g. ISO 9000, BS 7799) that you can call upon to support this process.

During this step, the team will work to identify gaps in your policies using the results of the risk assessment. Following on from that, it will develop and distribute relevant digital risk management policies using industry-led standard templates as appropriate, and will then set up internal mechanisms to ensure the policies are visible and enforced.

Step 4: IT security should be tested and maintained.

Risk mitigation technology, if installed and maintained properly, can be highly effective in protecting against known digital risks when combined with the rest of the mitigation mix.

The risk assessment process will highlight any gaps in existing provisions and make recommendations. But having all the right technology is not enough. It must be up to date.

As soon as new service releases are issued they must be reacted to, and as soon as updates are made they must be downloaded and distributed throughout the organization. As soon as any new technology is added, upgraded or shared externally, then the appropriate new controls must be put in place.

The risk assessment process should identify the appropriate technology required to control access, detect, monitor and audit the system. Once identified, the technology must be tested to ensure that it is properly configured and effective prior to roll-out. Finally the team will need to ensure that the administrator has the necessary training to maintain and manage the systems on an ongoing basis.

Step 5: Company processes need to support your people.

Management processes need to work together to support the risk management imperative. Digital risk mitigation is not just about IT security, it is about governance and it is about people. Unless there are policies and processes to support the people, then damage will occur and no amount of computer security tools or training will solve the problem.

Suppose a new vulnerability is identified. Unless there is an established process, it will be very hit and miss as to whether the organization can react swiftly enough to avoid suffering legal complications, liabilities, financial loss or significant downtime.

The risk assessment process itself may include guidelines of the various areas you need to consider, but there are certain processes that will almost certainly need to be addressed by all businesses. In order to be certain you are dealing with yours effectively, make sure the team refines your internal processes in light of your new risks. Then ensure that you have documented and circulated drafts amongst your team for feedback and then distribute them internally. It is equally important that processes are reviewed as they are tested and followed out, to allow more effective versions to follow-on.

Checking you have the right insurance in place is the last step of the process. (See related article, page 26).

Digital risks can be controlled so long as companies accept that managing them can never be a one-off. Businesses who want to operate securely need to employ a continuous program of monitoring, refinement and communication to ensure currency and awareness is maintained throughout the organization, as well as being considered in every partner, customer and supplier engagement.

Harry Croydon is the chief executive officer of Safeonline, a leading provider of a full range of digital risk insurance products and services. For more information visit www.safeonline.com

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, June 17, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.