Cybersecurity Causing Sleepless Nights for Risk Managers, Part 1

Stephen DeAngelis

May 09, 2018

Supply chain risk managers have plenty on their mind to keep them up at night. With the European Union’s General Data Protection Regulation (GDPR) coming into effect, cybersecurity risks have suddenly risen in importance. Cybersecurity hasn’t exactly been on the back burner for risk managers, but penalties associated with GDPR violations are severe (companies could face penalties as high as 4% of global annual revenue or €20 million, whichever is higher). And it’s not just potential penalties at stake. Deloitte analysts note, “Some threats, such as credit card fraud and identity theft, are becoming all too familiar in today’s marketplace and can be significantly detrimental to customer trust and brand reputation.”[1] They add, “The road forward will likely not be an easy one. Consumer businesses face numerous challenges as they attempt to handle the complex issues of cyber risk.”

Addressing cybersecurity: Where to start

At the top of every risk manager’s list of things to worry about is fear of being hacked. The question is often not if they will be breached but when. “According to a Thales Security report, 67 percent of enterprises were breached in 2017. Of those that were breached, 71 percent were based in the United States.”[2] Tom Beale, Chief Technology Officer at Corax, recommends every company ask itself several questions to assess their cybersecurity risks.[3] They include:

1. Is your business in the data collection business or not? While every company needs data in the Digital Age, not every company needs to be in the data collection business. Beale explains, “Many large retail organizations that have been collecting credit card-related data for years have recently begun outsourcing their credit card processing in a way that means that credit card data never touches their own network. This means reducing liabilities associated with credit cards while lowering risk.”

2. How much data does your organization store and what type of data is it? Beale writes, “Many organizations that actively collect data don’t know what they’ve got or why they’ve got it, which is a dangerous situation to be in.” Despite the fact that the World Economic Forum has declared data a new natural resource, many analysts recommend companies go on a data diet and collect and analyze only the data they need.

3. What is your organization’s Security Culture? Analysts are fond of pointing out that many data breaches are a result of careless employee acts, like unintentionally downloading malware while checking email. Beale notes, “Security culture is quite complex and pervades every element of a business. … Human error accounts for a huge amount of vulnerability.”

4. Does your Organization Have a CIO, CDO and CSO? The point of Beale’s asking this question is that c-level attention to cybersecurity is important. “If an organization has senior people in these roles,” he writes, “it may be in a better position to make informed decisions surrounding data.” Deloitte analysts agree. They argue c-level attention brings focus to the challenge. Unfortunately, they note, “For many organizations, the responsibility for preventing, managing, and recovering from cyber incidents tends to be highly fragmented. … Executive-level involvement with cyber risk management, including prevention, mitigation, and recovery, is critical to the success of cyber risk programs.”

5. How long has your organization been around? You might be wondering why Beale would ask this question. He explains, “Age and size are important criteria when it comes to security. Younger organizations are more likely to have grown up with more security conscious workers, and are more likely to secure data in the cloud.”

6. How many systems does the company have? The importance of this question is easy to understand. Beale notes, “Bigger or older organizations are likely to have more assets and less idea of exactly how many they have. This is a major concern, as it only takes one asset to become vulnerable for malware to be introduced.” Considering GDPR requirements, David Lavenda (@dlavenda), vice president of strategy at harmon.ie, adds, “Aim to store all personal customer data in one, central environment, or connect on-premises and cloud deployments. If this is not possible, make sure that departments have one single space for storing data.”[4]

7. How much does your organization spend on cybersecurity? Beale writes, “Organizations should be very interested in understanding what percentage of revenue they spend on security related IT.” He points out this is not an area in which companies can afford to be stingy. As the old adage goes, you need to put your money where your mouth is when it comes to cybersecurity investments. It’s money well spent.

8. Are your products secure? With the Internet of Things (IoT) predicted to play large future role, ensuring connected devices are secure is essential. Beale adds, “It’s understandable that companies want to get new products out to market quickly, but if they are not being built with security in mind, this is a real concern.”

9. How does your organization handle outsourcing? Today’s supply chains are, more often than not, extended and complex networks. Beale notes, “Organizations should try to find ways to look at the ripple effect and the inherited risk from all third parties and their respective third parties.” Easier said than done.

Once you’ve answered those questions, you are in a better position to conduct a cyber-risk assessment of your supply chain. Ben Ludford, a consultant at Efficio, writes, “Think the unthinkable. What if all your suppliers’ IT systems and channels of communication failed? What if the supplier managing customer data suffered a breach? Asking questions will help you understand the potential risks and how they could impact on your organization. Based on this assessment you can prioritize your actions.”[5]

Summary

Hopefully, you understand asking good questions (and lots of them) will help you strengthen your cybersecurity posture. Armed with answers to those questions your organization is in much better position to take additional security measures. Deloitte analysts report, “82 percent of consumer businesses have not documented and tested cyber response plans involving business stakeholders in the past year. [And] 29 percent of businesses lack clarity on the roles and responsibilities of individuals during an actual cyber breach.” Obviously, a lot remains to be done in the cybersecurity arena. I’ll discuss some of the measures that can be employed to improve cybersecurity in the second part of this article.

Footnotes
[1] Sean Peasley, Kiran Mantha, Vikram Rao, Curt Fedder, Marcello Gasdia, “Cyber risk in consumer business,” Deloitte Insights, 15 June 2017.
[2] Isaac Kohen, “Data Security Best Practices for Mitigating Supply Chain Risk,” Supply & Demand Chain Executive, 8 March 2018.
[3] Tom Beale, “Assessing cyber security risk: 10 questions organizations should be asking,” Information Management, 9 August 2017.
[4] David Lavenda, “7 steps to ensure an organization is GDPR-ready,” Information Management, 27 March 2018.
[5] Su-San Sit, “Six steps to prevent cyber attacks,” Supply Management, 10 April 2018.