In defense of private companies: Creating a cyber risk-aware culture
Each year, the amount of investment organizations -- big and small -- are making to protect their most valuable assets with technological and physical safeguards continues to grow by staggering amounts. Yet, with just one click or touch, an unsuspecting employee can expose a company to cyber spying, ransomware or outright theft.
Private companies are aware of various risks posed to their businesses both from external threat actors (e.g., business/political rivals, organized cyber criminals) and from their own personnel (e.g., disgruntled employees). This year, 38 percent of mid-market and private leaders ranked cybersecurity as a top information technology (IT) investment priority according to Deloitte’s annual mid-market technology trends report. What are they investing in? New information security capabilities, monitoring and detection, and employee education initiatives.
As the number of cyber threats continue to increase and grow in complexity, private companies are trying to instill discipline and rigor around how they continuously monitor and evaluate their security capabilities and controls against the threat landscape. These organizations are not subject to the same level of external scrutiny that public companies are subject to from regulators, shareholders, and customers and hence have the ability to invest in capabilities that are right-sized for the specific cyber risks that may impact their businesses.
Private companies are rightly focusing their security budgets on protecting data, intellectual property, and IT and operation technology (OT) systems. They also seek to have better visibility into their cyber risk posture through improved security operations. As private companies use more cloud solutions, they are taking advantage of 'native' security controls embedded in those solutions. For those with consumer-facing businesses, they seek identity, application security, and authentication solutions that better align with their brand and improve customer experiences as they invest in digital strategies. And -- as with businesses of any size -- they are beginning to plan for 'bad day' scenarios so that they are more resilient to cyber-related business interruptions.
A challenge arises for many private companies when it comes to managing the overall cyber risk strategy and posture for an organization. Many private companies lack the scale to justify having an in-house chief information security officer (CISO) or cybersecurity team with dedicated experts in specialized areas such as network security, identity management, security incident monitoring, and incident response. Instead, they often have just one or two cybersecurity resources trying to cover all those areas or they’re relying on IT generalists to keep them protected from cyber threats. Private companies should consider creative and cost-efficient sourcing options such as managed security services to address the capability or resource capacity gaps in their organization. Adaptable levels of services allow organizations to maintain or even enhance the control of security efforts.
The Federal Bureau of Investigation estimates that cyber thieves extract about $500 million every year alone from phishing attacks, those innocuous-looking emails or texts that transmit seemingly legitimate links that end up installing harmful software. According to the survey, managing data privacy (51 percent) and ensuring data integrity (46 percent) are two leading challenges to executives in using cloud-based services. The survey also shows that management oversight of IT-related risks is still lacking. It’s probably no surprise then that the need for education and training on cyber risk management and data protection should become top priority for mitigating cyber risks.
Creating a cyber risk-aware culture
It’s one thing to host a mandatory, one-time seminar on good cyber practices, and quite another to ingrain cyber risk values and behaviors into a company’s culture. Cyber is not going away. It’s not a problem to be solved but a risk to be managed. There’s not a corner of an organization that it couldn’t impact, which is why an enterprise-wide approach to cyber awareness and cyber risk management is crucial. Without that, there’s little hope that employees will be fully aware of or support their organization’s security technology and policies.
We’ve seen three key elements shared by mid-market companies with strong, cyber risk-aware cultures:
- Leadership: You often hear "the tone needs to be set at the top," but when it comes to managing cyber risk, it truly does. Leaders need to understand how each area of the business operation, product, or business partner can be exposed to cyber threats and what to do if there is an incident. It is also important for them to encourage employees to discuss emerging threats.
- Learning: Formal training about cybersecurity needs to be ongoing and creative. It’s not just new hires that need to hear how important good cyber practices are to their employer. Regularly scheduled learning events that include non-traditional learning experiences -- such as micro-training, gaming or mobile delivery -- can deliver the message consistently. This training should also include the practice of incident response plans by not only IT teams but an organization’s leadership team, which may include legal, compliance, marketing, human resources, operations and beyond.
- Communication: Employees also need to understand how cyber incidents could impact them, creating a personal connection and commitment to adopting safe cyber practices. Targeted communications should address expectations for employee behavior (and the consequences) but also help them understand how lapses can put their own sensitive information at risk through messages delivered across digital platforms, including text messages and videos. But they shouldn’t stop there! Business ecosystems are vast, made up of third-party vendors, business partners, customers and more. Organizations should inform all their stakeholders on their cyber risk posture and expectations as it relates to each of the obligations and commitments to securing that ecosystem.
There isn’t a business, public or private, specific to any one industry or sector, that is impervious to cyber related incidents. That’s why private companies should identify and agree to their cyber risk posture within their organizations and then hold themselves accountable to creating a culture of perpetual cyber preparedness.
Rick Borelli is a Principal within the Assurance offering of Deloitte Risk & Financial Advisory (RFA). Rick has been with Deloitte for over 30 years and has most recently served on the RFA Executive Committee as the Head of Strategic Initiatives and Operations within the Office of the RFA CEO, Chuck Saia. Previously, Rick has held other leadership roles including Deloitte’s National Controls Testing leader and National Investment Management Risk and Control Leader.
Julie Bernard is a principal with Deloitte Risk and Financial Advisory and is the insurance sector leader for the Cyber Risk Services at Deloitte & Touche LLP. She has more than 20 years of experience serving the world’s top financial institutions at the intersection between business process and information technology. With an extensive background in security strategy, privacy, consumer authentication, fraud prevention, and threat management, she helps clients be more secure, vigilant, and resilient in the face of an ever-increasing array of cyber threats.