There’s no need to tell a C-level executive about the risks of cybercrime. Chances are, it’s near the top of any risk management executive’s “to do” list.
Take the U.S. financial services industry. The sector is being hammered by cybercrimes like ransomware, phishing schemes and massive data breaches, with the average price tag on cybercrime incidents and fallout cresting $13 million (per company), according to Accenture. That’s up from $1.4 million in 2018.
All told, cybercrime costs to the financial services rose to $18 billion in the past year, making it one of the biggest budget busters in the entire money management industry https://www.accenture.com/us-en/insights/security/cost-cybercrime-study.
That’s a big reason why, increasingly, company management is inserting a key measure of defense against cyber incidents – tougher corporate compliance measures, especially internally. According to a recent report from Deloitte tracking the progress of artificial intelligence business initiatives, 49% of respondents pointed to “cybersecurity vulnerabilities” as their chief concern https://www2.deloitte.com/us/en/insights/topics/risk-management/cyber-security-threats.html?id=us:2sm:3li:4di_gl:5eng:6di.
As company decision makers increasingly tie risk management to cybersecurity issues, they do so in an environment where failure just isn’t an option. This from Deloitte:
This is why cyber today is not purely a risk management issue but is instead a core business enabler. For organizations to fully reap the benefits of new, digitally-enabled technologies, they need to view cyber as a digital transformation priority. In an era when technological innovation underpins a business’s marketplace performance, organizations that put cyber at the forefront should be better positioned to drive innovation and, consequently, bottom-line growth. Conversely, in the absence of a well-orchestrated cyber program, new products and services will be exposed to greater financial, brand, and regulatory risks, likely slowing their development and marketplace penetration.
The good news is that for those looking to redesign their businesses with cyber as a fundamental element, a host of new opportunities is emerging. While this is new ground for almost everyone, organizations can take action today to understand their cyber vulnerabilities, assess the risks, and put protections in place that make technology a safe space for innovation to grow the business.
What actions can company compliance directors take to tighten up cybersecurity practices? Here are several steps that make a difference.
Make cybersecurity a day-to-day companywide priority. Getting every company employee not only aware of cyber threats on a daily basis is a noble initiative – but it’s not enough.
“Compliance departments have to regularly train staffers on company cyber security policies and initiatives,” said Jeffrey Smith, CEO of RIA Compliance Firm, Chief Compliance and Legal Officer at Virtue Capital Management, and Managing Attorney for LawVisory. “A ‘one off’ cybersecurity training strategy won’t be enough – training on a consistent basis will give the issue the prominence and awareness it requires.”
Don’t overcomplicate the issue. Any compliance risk manager is familiar with the complexities and bureaucratic tone of most compliance documents, government-generated or otherwise. The case is the same for cybersecurity documents (think reports, white papers, IT documents, and even training manuals.)
To truly make the case to company teams, keep cybersecurity risk management policies simple and straightforward. That way, every employee understands where the company stands, what’s at stake, and how firm-wide compliance policies can keep risk threats under control.
Establish reporting guidelines. Company compliance officers should work with IT – or any third-party tech outsourcing partner a firm may be using – to establish reporting policies for the entire firm. For instance, each team member must know who to inform when he or she notices suspicious activity, like a flash drive laying around the office, a strange email or threatening social media post.
It’s vital that employees report suspicious digital behavior before it leads to a data breach. Thus, having a direct reporting policy is imperative to reduce risk of a cybercrime.
Change data security “behaviors.” Industry data shows that the vast majority of company security breaches are due to employee mistakes. While it’s difficult to control human error, policies and training should prioritize company-wide data security behavior (i.e., getting team members to think about data security as a primary component of their job).
A solid cybersecurity awareness campaign, integrated into risk management training programs, can steer organizational behavior to a place where employees know how to recognize lax data security practices. For example, everyday occurrences like sharing passwords internally or opening suspicious emails, among other easily prevented moves that could threaten a company’s data security, need to be stifled right away. A good cybersecurity awareness campaign can help.
Focus on processes – not outcomes. Compliance officers usually gauge risk management program effectiveness on an outcome based level – i.e., fewer cyber incidents, less regulatory scrutiny, and no fines and penalties due to lax compliance practices.
That’s all well and good, but with cybersecurity a real threat, the process matters as much as the outcome.
In fact, you can’t achieve quality cyber-risk outcomes without having robust, ongoing, and effective data security programs in place that focus on data, risk management and company-wide compliance.
Once you’re well into a good, solid cybersecurity risk management campaign, you’ll likely realize that a good process might be your most important strategic objective of all.