Cyber Risk Management: Awareness alone is not enough

Supervisory bodies are increasingly required to fulfill their legal control and supervisory duties also in dealing with cyber risks, according to the findings of a new study on dealing with cyber risks in companies. In addition to the legal obligation, there are also good reasons from a business perspective to invest in cyber risk management, according to the study, which was conducted by the Lucerne University of Applied Sciences and Arts together with the insurer Mobiliar and the business umbrella organization economiesuisse. After all, cyberattacks could cause considerable damage to organizations, which in the worst case could mean heavy fines, a severe loss of reputation, the withdrawal of operating licenses or bankruptcy.

A ship without a captain: lack of statements on cyber risk readiness

According to the study, many companies seem to lack a central foundation for managing cyber risks: None of the organizations surveyed explicitly defined the extent to which cyber risks should be consciously taken in order to achieve business goals. "From a risk management perspective, it's comparable to a ship that doesn't have a captain," says Stefan Hunziker, author of the study and Head of the Competence Center Risk & Compliance Management at Lucerne University of Applied Sciences and Arts. Apparently, the development of so-called risk appetite statements is very difficult in practice. The HSLU study also shows that there is a gap between the technical IT infrastructure level and the organizational level when dealing with cyber risks. "Cyber risks are still seen too strongly as a purely IT issue. Accordingly, they are managed in a decentralized and operational manner and are not integrated enough into company-wide risk management," explains Hunziker. There is a noticeable discrepancy between the relevance of risk (awareness) and risk governance. "This prevents a consistent comparison - and therefore also a meaningful prioritization - of cyber risks and other risk categories at the highest management level," says the expert. As a first step in the right direction, he recommends promoting cooperation between the Chief Information Security Officer (CISO) and Risk Manager. "Because this is primarily where the bridge between technical cyber security and business risk management is built," says Hunziker.

People" as a risk factor: additional investments required

Often, the simplest and equally effective measures for dealing with cyber risks are still neglected. Stefan Hunziker: "The definition of cyber risks may therefore also be somewhat misleading, as many causes of risk are not to be found in cyber space, but in human misconduct." The analogy with medicine is helpful: there, it has long been known that correct human behavior prevents the transmission of diseases. Regular disinfection, disciplined hand washing and keeping a distance have been established behaviors - at least since the outbreak of the Corona pandemic. The present study confirms that the "human factor," or human behavior, is still too little addressed in the area of cybersecurity compared with technical measures. "The 'human factor' makes up only one element in the continuous improvement process of cybersecurity, but it is a very important one," Hunziker said. Human behavior in dealing with cybersecurity should be trained so that it becomes as natural and "normal" as sneezing into the crook of your arm.

Cyber Risk Management and Cloud Migration

Many cyber risks have their origins in cloud use. This makes it all the more important for organizations to plan their move to the cloud well and take appropriate measures. "Creating a clear strategy is at the very beginning of a well-planned migration to the cloud," says Armand Portmann, author of the study and Head of Information & Cyber Security | Privacy at the Department of Computer Science at Lucerne University of Applied Sciences and Arts. Fortunately, the majority of the organizations surveyed have such a document that describes the framework conditions for the introduction and use of cloud services. This leads to the conclusion that the topic of cloud computing is now also attracting attention in management bodies. "There is an awareness that the use of cloud services is associated with risks," says Armand Portmann. When it comes to naming the risks associated with the use of cloud services, however, the organizations surveyed are not at a loss for answers. "The top three risks include loss of confidentiality or a breach of data protection, dependence on the cloud service provider and liability issues," explains Fernand Dubler, author of the study and research associate at Lucerne University of Applied Sciences and Arts. The topic is complex. It is therefore not surprising that the measures required to mitigate these risks are not obvious. Dubler adds: "These measures are extremely diverse and have to be developed individually based on the specific outsourcing situation. This often poses major challenges for the organizations concerned." Source and further information: Lucerne University

This article originally appeared on m-q.ch - https://www.m-q.ch/de/cyber-risk-management-bewusstsein-allein-reicht-nicht/