The Challenge of Risk Management in a Volatile Security Environment

From data to physical security, corporate risk management is changing daily. Market challenges require an agile, rapid business response to a wide range of security threats.

Whether your business is local, national, or global, you must take action to identify risk and protect your brand reputation through a comprehensive business continuity plan.

In 2015, the number of electronic attacks on U.S. enterprise and research institutions continued to rise. According to IBM, business continuity management (BCM) is critical to reducing exposure in ways that include:

  • Decrease the likelihood of a data breach
  • Shorten the identification of a breach event and respond more quickly
  • Reduce the per capita costs of data loss

Along with business brand exposure and liability, the cost of service loss continues to rise. A 2016 report from the Ponemon Institute estimates the average cost of a data center outage due to cyber attack has risen to over $740,000, from approximately $500,000 in 2010.

Even the ability to conduct business comes into sharp question when the safety of national infrastructure is vulnerable. In late February, the White House alerted American energy, water, and transportation interests that tactics used to take down the energy grid in the Ukraine earlier this year could be used against domestic U.S. interests.

Preparation for cyber attack at the organizational, agency, or business level is carried out through BCM and ongoing exercises to strengthen readiness.

Steps to Undertake Business Continuity Planning

Business continuity plans vary in complexity at the enterprise or small business level, but the drive toward preparedness looks similar.

Many businesses and agencies are unaware their network, or data, is exposed until notified by a third party. The longer the delay in identifying a system compromise, the larger the potential business exposure in loss, liability, and reputational damage. Sophisticated nation state and other bad actors are often able to quietly intrude and exfiltrate data for months—or even a year—before exposed.

Some initial steps to protect your business interest include:

  • Commit to organizational preparedness at all levels
  • Involve stakeholders throughout your organization in the identification of risk
  • Consider working with a qualified outside security vendor to help you evaluate and create a business continuity plan
  • Take needed steps to assess risk, identify threat, and understand business impact
  • Invest budget in infrastructure safety, including hardware, software, and training
  • Train, drill, and revise your readiness plan on an ongoing basis

The National Institute of Standards and Technology (NIST) offers a more extensive, voluntary framework to help business and organizational interests better address risk management, deter attack, and recover more quickly from breaches.

In early February, the White House announced the implementation of a Cybersecurity National Action Plan. The key features of the federal plan include:

  • Establish the Commission on Enhancing National Cybersecurity. This bi-partisan committee is expected to make across-the-board recommendations to develop best practices and recommend technologies to strengthen economic and consumer cyber safety.
  • Fund and modernize legacy government IT and appoint a Federal Chief Information Security officer.
  • Create partner opportunities between government and IT interests to enable better cyber protections and response.
  • Major financial investment in federal cybersecurity

While federal or large enterprise concerns make enticing targets for cyber attack, small businesses are frequently victimized due to weaker network security. Breaches of smaller, third party networks can compromise bigger players, resulting in a significant loss to the entire ecosystem.

The management of corporate and small business risk is complex. Put a continuity plan in place to give your company a framework of response in the event of cyber attack, or other incident. While you may not be able to prevent attack, proactive assessment can help you mitigate damage and possibly avert significant financial and legal liability.