Information technology has developed significantly over the past two decades, bringing with it new cyber exposures that leave businesses and individuals alike, vulnerable to unseen cyber liability. Responsible governance calls for organisations to incorporate risk management strategies and practices into the fabric of their corporate governance policies. For this to happen effectively, organisations must understand the exposures they face, and ascertain the risk management policies which align with their risk appetite.
A comprehensive and integrated approach to risk management calls for three key considerations to be deliberated by the organisation: its strategy, processes and people. To be inclusive, risk management must involve all levels within the organisation. The upshot of a well-orchestrated risk management process is improved decision-making, planning and prioritisation – this is only achieved through a comprehensive and structured understanding of the organisation’s activity, how volatile it is, as well as the opportunities and threats facing the business.
All users have a responsibility to manage the risks to the organisation’s information and communications technologies and information assets. Appropriate training and user education should for that reason be provided to users (relevant to their role) and regularly refreshed. A security programme must include: awareness and communication initiatives. The best policies are wasted efforts if employees disregard them.
By implementing corporate governance policies and processes to develop a secure baseline that builds and manages the configuration and the on-going functionality of all information and communications technologies (ICT), organisations are able to greatly improve the security of their ICT systems.
Good corporate practice is to develop a strategy to remove or disable unnecessary functionality from ICT systems and keep them patched against known vulnerabilities.
Connecting to untrusted sources results in the exposure of the corporate network to attacks. Attacks that seek to compromise the confidentiality, integrity and availability of Information and Communications Technologies (ICT) and the information which they store and process.
User access privileges to information and communications technologies should also be managed. Only the privileges required to carry out their duties should be allowed. Unused or dormant accounts (possibly created for temporary staff or for testing purposes) should be removed or suspended.
Unfortunately, in today’s cyber age, it is inevitable that organisations experience an information security incident at some point. Thus, establishing effective incident management policies and processes will assist in improving the organisation’s resilience; support business continuity; improve customer and stakeholder confidence, as well as reduce any financial impact on the organisation. Monitoring information and communications systems allow organisations to detect attacks, and react appropriately, while also providing a basis upon which lessons can be learned to improve the overall security of the organisation.
The Cost of Failure to Exercise Control
Failure to control or manage the utilisation of removable media could result in material financial loss, the theft of sensitive information, the introduction of malware, as well as the erosion of the organisation’s reputation.
Most organisations utilise a combination of technology and security procedures to prevent cybercrime incidences. Although IT security technologies can provide preventative measures against cybercrime, it is impossible to ensure complete protection, particularly given that cyber attackers are continuously seeking new methods to exploit vulnerabilities. Part of the risk management plan must therefore include appropriate cover for that inevitable breach. The cost of not doing so – could cost the organisation its future.
Camargue is an underwriter of niche insurance products and a provider of risk management solutions to a broad spectrum of industries in Southern Africa. Camargue’s unique M3 approach focuses on managing, mitigating and migrating critical business risks.
Catherine Berry, Director for Commercial and Cyber Crime Division at Camargue