Explore & consider your organisational CRS & response as a part of your regular business activity by reflecting on the existing conditions of your effort & what is actually going on with your data.
Businesses have little or no visibility into their sensitive data that is being sold, traded or discussed on the internet. Thinking that you’re secure across your own network & within your firewalls is an unsophisticated & quaintly fanciful approach. Hope is not a strategy.
The key characteristics of the current cyber risk & security landscape are evolving & morphing quickly. For example, with recent Anti-Money Laundering legislation & authentication, there are now more electronically exchanged copies of passports, drivers licences, bank account details & other forms of identification than ever before.
More exchange means increased attack surface & exchange of verification & authentication data.
Organisations, especially Boards need to undergo a fundamental attitude shift. What needs to change?
Organisations need to look beyond their own networks & firewalls. Increased attack surface means more vulnerability – digital transformation, open banking API’s, AI powered phishing, mis-configured cloud environments & data exposure through third-party integrations are a just few. Remote & hybrid work increases risk from compromised personal devices & unsecured home networks.
In considering the strategies to reduce cyber risk & increase cybersecurity—particularly for complex, high-value environments like financial institutions, health organisations & others dealing with commercially sensitive & personal information, three broad approaches can assist in focussing effort & investment.
- Adopt a Zero-Trust Security Architecture
Core Principle: Never trust, always verify.
Identity verification for every user & device, regardless of location, continuous authentication & behavioural monitoring & micro-segmentation to limit lateral movement within networks all assist in reducing exposure from compromised credentials or devices, limiting the blast radius of breaches & enables secure remote work & third-party access.
- Implement Continuous Threat Detection & Response (XDR/SIEM)
Core Principle: Detect early, respond fast, contain effectively.
Through the deployment of Extended Detection & Response (XDR) tools organisations can correlate threats across endpoints, networks, & cloud environments. Using Security Information & Event Management (SIEM) platforms to aggregate & analyse logs in real time & integrating them with Security Orchestration, Automation, & Response (SOAR) allows for faster incident containment.
Outside-the-firewall activities identify & can potentially neutralise threats before significant damage occurs. Monitoring & hunting bad actors across the thousands of clear, deep & dark web sources means businesses can quantify the sources & references to their organisations & better understand vulnerabilities & possible vectors for attack.
- Strengthen Governance, Risk Management, & Third-Party Oversight
Core Principle: Cybersecurity is an enterprise-wide responsibility
Boards need to establish cyber governance & risk appetite frameworks that include assurance that appropriate regular third-party risk assessments are conducted & require the security certifications (e.g., ISO 27001, SOC 2).
Boards & C-Suites can perform simulations with scenario planning/tabletop exercises, penetration testing, & supply chain audits to ensure cybersecurity aligns with business risk management & continuity planning in the event of a breach.
The benefits are clear – it reduces vulnerabilities from vendors & partners, it supports an evidence-based approach to investment in CRS & ensures regulatory compliance.
Combined, these things all improve stakeholder confidence & boost competitive advantage.
While the regulatory framework might be lagging, that doesn’t excuse competent directors from their obligations under other legislation, rules & regulations. Perhaps the most simple – if you are purporting to have safe & secure client & other data within your business & there is a material breach, at the very least there are remedies available under the Fair Trading Act.
Naturally there are also liabilities that will attach themselves to Directors and Officers under The Companies Act. The non-specific & broad provisions mean that interpretation can be equally wide & open to legal interpretation dependent on individual circumstances – director ‘care, diligence & skill’
