©Risk Concern. All Rights Reserved.
Since the advent of the internet and the increase in the accessibility of computing systems, there has been a continuous push towards digitization in businesses, born out of a necessity.
Arguably, there were four main pivot points in the overall level of business digitization in recent periods that accelerated this phenomenon: (1) the mid to late 1990s, when a broader realization regarding the potential of the internet was reached (important factor: launch of Mosaic Netscape 0.9 in 1994 and greater availability of personal/home computers); (2) the early 2000s when barriers to access and implementation of digital channels were eased/overcome (important factors: the creation of WordPress  and other such tools that enabled the establishment of web platforms much less technical); (3) the early 2010s period when the amount of data and traffic online grew exponentially, and customer demand for more meaningful online interactions increased considerably (important factor: widespread adoption of mobile computing that was enabled through technologies such as 3G);
(4) the 2020-21 crisis period that made a digital pivot a fundamental requirement for survival.
Now, in the current period, digital presence/operation is a fundamental requirement for business; even smaller local businesses are expected to have a platform for digital interaction etc.
However, such mass adoption and use of the digital space also poses threats to firms that must be thoroughly understood; a fundamental understanding of this risk is required at the leadership level; thus, managers in leadership positions can't consider it as an issue relevant for the technical team only, as, now more than ever, there is a requirement to integrate cyber security in long-term strategic direction.
Cyber risks can arise from a deliberate breach of security, accidental breach of security, & operational causes (flawed software, breakdowns, wrong data, etc.).
The main types of cyber risks include: "Hacking /data theft (gaining unauthorized access of data in a system or computer);
ransomware (organizational systems blocked/frozen by criminals who demand ransom for unblocking/unfreezing systems);
insider threat/disgruntled employees (steps taken by an employee with either criminal intent or our of resentment), &
malware attacks (malicious software designed to block access to a computer system until a sum of money is paid)" (KP, 2020).
Malicious software is any program or file that is harmful to a computer user. Types of malware can include computer viruses, worms, trojan horses, and spyware.
A list of malware and operational risks:
Deductively, we can classify two broad areas that executives/managers should pay considerable attention to. The two main areas are data management risk & systems' security risk.
An important risk that all businesses must mitigate is a data breach risk; data breaches can take the form of unauthorized access/leak of email or contact information, credit card info, personal details, etc.
All data breaches have negative consequences/impacts on the business; however, the severity of the impact depends on the severity of the breach; for example, the leaking of ten customers' order lists, arguably, would have a lower impact than the breach of credit card details of all customers.
Nonetheless, all data breaches have negative effects on the business, and thus, adequate measures must be taken to mitigate this risk vector.
Data breaches can have legal consequences that can bankrupt the firm; even if litigious challenges (lawsuits) do not arise, data breaches can still cause irreparable reputational damage, which can result in the collapse of the firm. There are many examples of data breaches resulting in the bankruptcy of the business. And data suggests that 6 out of 10 small businesses that cannot protect themselves against such risks go bankrupt within 6 months. Thus, this risk should be considered an existential threat. All businesses hold the personal data of customers/trading partners; this can be their contact details, customer/trading partners' preferences, location, financial data, etc. All data that the firm holds should be considered as being under constant threat from unscrupulous actors for proactive risk mitigation. Criminals can use a list of tools/methods such as malware, trojans, phishing, ransomware, viruses, hacking, and denial of service attacks. Leaders and non-technical managers must understand the nature of the aforementioned, so long-term strategy can incorporate these concerns in the formulation of growth paths.
To deal with cyber security threats, firms need effective cyber security policies and controls. Developing a map of the entire cyber structure of the business should be the first step in understanding areas of concern. For example, for a small firm with a product website and an app, a map would include the hosting company/server, the platform used, network channels too-and-from trading partners, cloud storage platform, & website/app manager(s).
An analysis of each of these areas, their weaknesses & deficiencies, should provide an amalgamated view of the cyber threats faced by the firm.
An analysis relevant to each identified area should be conducted. For example, analysis pertinent to the servers for identifying deficiencies and incompetencies so the situation can be remedied to ensure that the servers are secure.
Similarly, all staff with access to the cyber infrastructure should be subject to background checks to ensure that they are trustworthy before being granted access to users' data.
Even mid-to-small size firms can hold millions of data points; a lot of personal and financial data may be held by the firm and, therefore, even small and midsized firms should look into establishing a data protection officer post, under the supervision of a board-level executive director to ensure all stakeholders that the firm, as a custodian of data, takes data protection very seriously, considering data protection as being of utmost importance for the overall business model of the firm and its reputation.
Furthermore, the top management team (TMT) broadly can implement/recommend the following best practices:
One of the most important mitigating approaches that should be implemented here is the encryption of all data on the servers, access computers, and internal-user devices (effectively ensuring all organizational data is encrypted); this would mean that end-to-end data encryption is implemented, and the data is only readable internally. This can also mitigate/prevent data breaches occurring from users using public networks and so forth (i.e., even if data is breached, without the encryption key, it wouldn't be readable; thus would remain protected even if a breach occurs).
This would mean that the relevant servers and most important access computers would be able to read the data; however, If data is stolen by an unscrupulous actor, it wouldn't be readable without the encryption keys, effectively adding another layer of protection.
Proper firewall implementation is also critical as it will ensure that access isn't granted to any party without authorization.
Another relevant method here would be to ensure that all data, to-and-from the servers, is transferred by virtual private networks (VPNs) to further add a layer of protection; for example, if new data is being added to the firms' website or when other daily interactions with the servers/hosting and organizational members occur, a VPN, a simple yet powerful tool, would further secure that data and protect the firm against a breach.
Furthermore, businesses should get cyber systems' security audited by external data protection agencies of the highest standards and also do penetration testing, at least quarterly, internally publishing the findings in the risk reports; if there are any weaknesses identified, they should be managed with the utmost importance, to secure the data of stakeholders.
Some deficiencies may require external consultants to take remedial action; conducting adequate due diligence, and background checks for such external parties is crucial.
Another best practice that can be incorporated in the firms' cyber structure is the randomization of data; this means assigning all customers a code and never saving their data in a form identifiable, i.e., saving data under customer's name; this ensures that even if a breach occurs, hackers can't identify the data to a person's identity, this is a common method used in industry.
All stakeholder data that has served its purpose should be permanently deleted, as per international best practice. If some data is required for statistical tests/data mining, it should be randomized, with all paths of personal identifications removed permanently. In some jurisdictions, businesses may be required by law to delete all data that has served its purpose.
Finally, the central server/hosting platform used is of the highest importance in data management; granting access to such critical infrastructure should be taken very seriously; firms should strive to add further layers of security here.
It is also important to understand that just relying on background checks isn't enough as people who commit their first crime don't have a criminal history; firms need to eliminate the factor of trust and rely on control systems.
Thus, on top of background checks, ideally, firms need to add another layer of security. For example, mandating that whenever the business' server room/critical cyber infrastructure is accessed by one individual or team, their activities are monitored, either in-person or through a camera by the cyber security team. This will ensure that one individual with access to the central server/infrastructure cannot act in a way that would be detrimental for the organization, as an independent cyber security team would monitor them during their period of access/use.
Ideally, such a monitoring team should be directly under the supervision of the board of directors.
Proper training of all staff that have access to the IT department regarding social engineering attacks (attacks where an unscrupulous outside party identifies a potential organizational member with access to relevant areas, and then engineers a social situation to gain trust & access the relevant cyber system through such machinations), and phishing attacks, are also of paramount importance.
Organizations need to ensure that staff is not only trained regarding these threats, but also constantly updated on the latest approaches and techniques used by the hackers/criminals, to ensure they are up to date on the methods used.
Finally, adopting an international cybersecurity standard for ensuring stakeholders that the firms adhere to the highest data protection standards, and that data protection is of utmost importance, would also be a recommended best practice. For example, the TMT, in collaboration with the technical team, can recommend the implementation of ISO 27001 – information security standard at the board level; the board should discuss the implementation of ISO 27001 standard to ensure adherence to the highest cyber security standards. For a thorough understanding of economic, political, and currency risks/the mitigation steps that can be taken, see our in-depth report.
Gupta, B. B., Perez, G. M., Agrawal, D. P., & Gupta, D. (2020). Handbook of computer networks and cyber security (p. 959). Springer.
Kaplan Publishing (2020). CIMA risk management. ISBN 978-1-78740-715-2 (printed)).
Prasad, R., & Rohokale, V. (2020). Cyber Security: The Lifeline of Information and Communication Technology. Springer International Publishing.