This article was featured in the Raconteur “Cybersecurity Special Report” published in The Sunday Times on 22 March 2020. Contributed by: Richard Hanlon, Chief Commercial Officer EMEA and Kraig Rutland, Vice President EMEA – Cyber Security, from Aon’s Cyber Solutions.
Across major enterprises, technological change provides the opportunity to evolve, but it also introduces the unknown. Companies can embrace this through understanding and managing their cyber risk
Digital transformation is a regular business reality. Where market forces and changes in business models used to evolve over decades, now companies must continually address what they do and how they operate to remain competitive. This requires organisations to innovate and embrace new technologies and ways of working.
The risks and challenges that come with digital transformation must not be overlooked. Many large organisations still have legacy systems that are decades old, which means changing and, importantly, securing them is no trivial effort.
Augmenting these proven capabilities with market-leading businesses tools, such as advanced analytics, automation and artificial intelligence, can introduce significant risks that companies are not prepared for. Many industries have seen complete disruption in the way they operate and in their level of technology reliance, with the pace of change set to continue.
The prospect of managing this change and tackling new and unknown threats can cause some risk-adverse companies to defer from embracing technology transformation altogether. According to Cybersecurity Ventures, cyber crime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
While such caution may limit their exposure to cyber threats in the short term, the long-term damage from having failed to adapt the business for the digital age could potentially prove fatal. Companies must undoubtedly transform, but learn do so in a secure way.
Managing cyber risk
“Nothing quite vaporizes enterprise value as quickly as a cyber incident,” says Richard Hanlon, chief commercial officer, Europe, Middle East and Africa (EMEA), at Aon’s Cyber Solutions. “As companies go through these transformations, greater cyber resilience isn’t going to be achieved solely through technology, governance or compliance. They have to look at it as an iterative process with no straight line or singular approach and adopt a holistic view to cyber risk management.
“Many organisations, of course, want to insure the risk to get it off their balance sheet, but don’t take a step back to ensure they’ve adequately assessed their risks, vulnerabilities and put appropriate programmes in place.
“This is a process issue and data becomes key. A more holistic approach recognizes there is a valuable data ecosystem available within the various assessments, risk quantifications and responses to cyber incidents. The more organisations leverage those insights to dynamically assess the threat and, importantly, do something about it, the more cyber resilient they become.”
Cyber risks are inescapable. No organisation will ever be able to eradicate cyber threats or remove the risk of reputational damage should an incident occur. For those organisations that recognize increasing their security is part of an ongoing and iterative process, management of this risk does become achievable.
Aon partners with companies throughout this journey and can engage at any given touch point, whether that is assessment, quantification, insurance or incident response. This works best when companies are active participants in managing risk and engaged in a greater ecosystem of continuous review, improvement and investment in cyber risk management. Aon refer to this as the “Cyber Loop”.
Given this rate of change and the scale of increased threat, many organisations are unsure of whether they are doing enough, too much or taking the wrong approach entirely. Clearly, tackling this challenge is unique to each environment, but every company must first accept the risk exists and that it cannot be dealt with through any single measure.
Once organisations have gained an understanding of their cyber risk, they can start to manage it. This is achieved through building a robust cybersecurity programme, which includes developing the right polices and processes, deploying the right tools and aligning all the capabilities that form part of their efforts to protect against the risk.
“It is hugely advantageous to utilise advanced tools, techniques and monitoring capabilities,” says Kraig Rutland, vice president, EMEA, Cyber Security, at Aon’s Cyber Solutions. “Having said that, many organisations make considerable investments, but struggle to align them to their actual risks, which is where we are often engaged.
“In one use-case, we may work with a business to understand exactly what they should be monitoring and how they should be monitoring it, helping them use their existing technologies in a way that provides direct visibility of systems posing the highest risk.”
This is not just about monitoring, but how change is delivered. Another example of how Aon works with companies is by supporting their cloud adoption. Organisations are keen to embrace the benefits of cloud infrastructure, but often cautious to migrate critical systems due to the associated cyber risks. Aon helps them to understand those risks and then make the necessary change through managing them accordingly.
“Developing these processes and configuring all these technologies can be difficult, but it all comes down to ensuring your processes, technologies, systems and teams are actively helping you gain visibility or reducing the key cyber risks faced by your business,” says Hanlon. “There is still a need for a much deeper understanding of what the worst-case scenarios are in terms of the financial impacts due to cyber threats and in understanding cybersecurity is not an IT risk, but an enterprise risk.
Rutland adds: “If you’re midway through a digital transformation, your business and IT environment are likely to be experiencing constant and rapid change that’s hard to keep on top of.
“Through good practices, many organisations will have tools and processes in place, but they may not be making the most of them and getting the right business insight and reporting to support their operating model. This is particularly true when it comes to incidents. It is one thing being alerted to an incident; it’s another having the right processes and procedures to handle that incident effectively. We help refine these processes and improve existing security investments to help tackle cyber risk.”
Culture can be the most important element of a successful cybersecurity strategy.
A company’s biggest strength is also often its greatest weakness: people. Cybercriminals won’t stop to get what they need, including targeting employees to gain access, data or otherwise. A key way to combat this is awareness, which must spread through an entire organisation and start at the top. If C-suite leaders don’t understand they are ultimately responsible for all risk-management efforts, there’s a problem.
This is important when safeguarding not just their operational responsibilities, but also themselves. According to Verizon research, C-level executives are twelve times more likely to be pursued by cybercriminals and nine times more likely to be victimized, typically by social engineering techniques, for influence, reputational damage, access to data or 71 per cent of the time for financial reward.
“The culture has to permeate out of the boardroom to the C-suite and then trickle down,” says Hanlon. “Yet too often we are called in by chief information security officers (CISOs) because senior colleagues are not fully appreciating that cyber awareness needs to be deeply embedded into organisational culture. Active engagement, support and sponsorship from the most senior levels within a business are critical to tackling the cyber risks and unlocking the necessary culture required to enable secure technological change.”
As businesses navigate ongoing digital transformation, assessing, understanding and managing cyber risk requires a wide range of competencies. Aon leverages a combination of experiences comprising technical acumen, analytics and business risk to support cybersecurity and risk-management objectives, enabling secure transformation.
Download the full Raconteur Cybersecurity Special report here.