Sponsored
Sponsored content is premium paid-for content produced by the Irish Times Content Studio on behalf of commercial clients. The Irish Times newsroom or other editorial departments are not involved in the production of sponsored content.

Chief executives identify cyber risk as prime threat to company growth

Culture of cyber resilience must be driven from top, KPMG expert says

Cyber risk is cited as the number-one risk to organisational growth by Irish chief executives. This was among the key findings of the KPMG CEO Outlook for 2019.

Some 1,300 chief executives in a selection of the world's most dynamic organisations, including from Ireland, took part in the research for the report which also found that 62 per cent of Irish chief executives believe that a strong cyber strategy is critical to building trust with key stakeholders, up from just 22 per cent in 2018.

That strategy must be underpinned by a culture of cyber resilience which is driven from the top, according to Dani Michaux, KPMG's new head of cybersecurity in Ireland. "You need a culture where cybersecurity is everyone's challenge, which is particularly true in large organisations," he says. "There's no point training 50 expert cybersecurity professionals when others may be doing risky things that could compromise the organisation."

There is also a requirement to ensure that the effort is properly funded. “One of the hardest things about cybersecurity and building a resilient organisation is that if it’s going well you don’t hear about it,” says Michaux. “Building cyber resilience is an ongoing effort, just like building a good immune system. It’s like health or house insurance: you never want to use it, but if you do need it, you’re really glad you’ve got it. But you need to ensure the investment is there to continually adapt and renew your approach – always bearing in mind new technology enhancements and changing business models.”

READ MORE

Tough discussion

But not every organisation or chief executive understands its importance. “Cyber resilience is a very tricky and tough topic”, she notes. “It’s a tough discussion to have in an organisation. People tend to look at technology threats and risks and associated cyber risks as a comparatively new thing, possibly because of the number of large-scale attacks which have happened in the last three years. But these events are making people think about how resilient their organisations are both from a cyber and operational perspective.”

In addition, a change in perspective is required. Organisations have to shift from the traditional view of cybersecurity as being about defence and recovery to one where resilience of essential services are at the forefront.

“It can’t be just about recovery any more,” says Michaux. “If an event happens, an organisation has to be able to continue doing business. That’s resilience. It is a question of understanding that an event will happen at some stage and the organisation must be able to continue with its core business and serve its customers when it does. If an organisation can do this, its resilience level is good.”

She believes the cyber resilience label is too narrow for the topic. “Organisations talk about that because so many of the risks are related to cyber events. Financial services organisations and regulators around the world are talking about the broader issue of operational resilience.

“Digitalisation is linking organisations along supply chains in different and more complex ways. They have to think about what happens if a key supplier goes down. What would happen if a major cloud provider went down or if a few of their data centres were attacked? What impact would that have on their ability to continue doing business? And what will happen if more than one major provider within the supply chain is unable to provide services?”

She advises businesses to do extensive scenario planning to gain insights into the potential effects of such events. “Organisations should run simulations based on worst-case scenarios and learn from the outcomes,” she says. “They should use them to find out what they can do without and what can they can leave behind and still continue operating in the event of a cyberattack. The business doesn’t have to be running at 100 per cent, just enough to continue serving customers. If they don’t do that, they will never know how resilient they are until they are actually attacked.”

Assumptions

And she warns against relying on assumptions, no matter how well founded they appear to be. “People running large organisations tend to forget the amount of assumptions they make. They assume suppliers will still be there, that service-level agreements will continue to work, that an attack will not happen at the weekend or at midnight, that telecommunications and other systems will keep running.

“People make too many assumptions based on past experience instead of planning for what may happen if those assumptions aren’t borne out. Resilience is about going back and looking at all assumptions. Everything is so interconnected now that events in one company can lead to another going down.”

The consequences for organisations which lack resilience could be very severe. “Consumer expectations are far higher than they have ever been,” Michaux says. “They expect organisations to be resilient and to maintain service in the event of a cyber ly lose trust in businesses that are not able to do that and move their custom elsewhere with predictable results.”