What is the Cyber Risk in the C-Suite?
Recently, Yahoo confirmed that over 500 million accounts were hacked in a massive data breach dating back to 2014. Thankfully the data stolen did not include financial data, but the data did include personal information and encrypted passwords. Many cyber security experts faulted Yahoo for failing to discover the breach when it originally happened two years ago. Yahoo pointed to its enormous computer networks and the difficulties in protecting those; however, as the dust started to settle, it appeared that Yahoo did not have strong enough defences to prevent this risk.
This hack is a timely reminder of how vulnerable online information is, fueling a growing interest among corporate boards and senior executives about whether their companies are prepared to face such risks. Online vulnerability is not a given. There are ways for executives to protect themselves and their companies from cyber risks. In deciding cyber risk strategy, a progressive C-Suite identifies risks; determines to show best to protect their data; implements strategies on how to detect and respond to abnormalities; and prepares contingencies to recover any lost data.
Executives who identify and manage cyber risks to their company’s network, systems, assets, data, and capabilities are able to mitigate may risks with minimal effort. Identifying risks enables executives to focus and prioritize their efforts consistent with their company’s rrisk management strategy and business needs. Without an understanding of their organisation’s network, executives cannot accurately determine how much risk their company is exposed to. By not accurately estimating risks to their organization, executives put their organisation’s information at risk!
Protecting data requires executives to identify and deploy appropriate safeguards to ensure the delivery of critical infrastructure services within the organisation. Examples of data protection include data access control; employee awareness and training (how many employees are “addicted” to social media and what information are they posting online?); and information protection processes and procedures. However, what works for one organisation does not mean it will work for all organisations. Using the data protection strategy that one company uses and assuming it would work for another could have catastrophic consequences for a different organisation. Detecting and responding to abnormalities means executives have a system in place to timely detect threats to the organisation’s network, and then implement the appropriate actions to contain the impact of a potential cyber risk. Executives should not be overconfident in their ability to detect and respond to this risk. Cyber security strategies that are based on the overconfidence of senior management can be filled with vulnerabilities. Executives should also have plans in place to maintain data and restore capabilities or services that may have been impaired in the event of a breach in cyber security. Making sure that data is backed-up and protected from theft is a never-ending battle that no one wants to lose. Organisations that get hacked and expose sensitive data can face severe penalties, litigation, and a significant loss of credibility. What all this ultimately comes down to is risk management. Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, executives should understand the likelihood that an event will occur and the resulting impact. Next, the C-Suite should ask themselves how to handle the risk – should the risk be mitigated, transferred, avoided, or simply accepted? An understanding of risk management in their organisation allows the C-Suite to avoid wasted resources and to prioritise decisions regarding their organisation’s cyber risk and security.
Contact us if you would like further advice on developing Risk Strategy and Management to protect your Organisation. Our Lawyers at You Legal will be happy to assist you in whatever way we can.
*This blog is for general guidance only. Legal advice should be sought before taking action in relation to any specific issues.