The cyber risk landscape is quickly evolving and cyber breaches are becoming increasingly common. Organizations have been slow to catch up with the new threat landscape. The fastest growing threats today are coming from outside the network — digital and social media and third party vendors. Yet organizations are still organized to focus primarily on more traditional IT security risk management They are not updating their processes and policies or investing in tools and technologies to comprehensively address the latest and fastest growing threats. As the cyber risk landscape evolves, cyber risk management must evolve as well to truly ensure security, privacy and data protection. In addition, the public’s awareness of the importance of digital risk management and attention to how companies handle data and privacy is increasing. Digital risk management can affect consumer trust, customer loyalty and even shareholder value.
As we begin the new year, it’s time to comprehensively rethink how to approach digital risk management and your digital governance. Here are some tips to get started:
• Educate senior leadership and the board on the evolving cyber risk landscape and the importance of including digital and social media risk management in cyber risk management.
Senior leadership and boards need to better understand the current digital risk landscape. According to the 2017 – 2018 National Association of Corporate Directors (NACD) Public Company Governance Survey, boards have a high level of discomfort with cyber-risk management. Only 12% of board members believe their boards possess a high level of cybersecurity knowledge and only 37% feel confident that their companies are properly secured against a cyberattack. This finding was reinforced by JEM’s 2018 State of Digital Risk Management study. One of our survey respondents commented, “You must have the C-suite on board. Ours got burned a couple of years ago and that was the fire we needed to get moving on it.”
• Invest in tools and technologies to proactively identify and manage advanced attacks delivered via email, social media and mobile apps.
Audit your digital landscape. Make sure you have an up-to-date and comprehensive audit of all digital assets to avoid domain fraud and account sprawl. Tools and technologies can proactively scan the web to identify rogue and fraudulent accounts and activity to help you protect your accounts and alert you to potential hacks. Monitor social media. Make sure that everyone who is responsible for monitoring social media is aware of the plans and workflow in the case of an attack. Run scenario-based exercises. And, audit your technology vendors to ensure that they comply with your security and data privacy policies and standards and are GDPR-compliant.
• Make digital and social media training for employees a priority.
Make sure to include instruction on how hacks like email phishing attacks happen, password best practices, etc. to best protect accounts. Be sure that your employee social media policy includes instructions about how to secure both branded and employee accounts. Make digital risk management training part of the new employee onboarding process.
Offer reverse mentoring for executives, pairing them with digital natives. and keep your training up-to-date to ensure that it’s keeping up with the ever-evolving threat landscape.
• Adopt a comprehensive organizational approach to cyber risk management through the creation of a Digital Center of Excellence.
Ensure cross-functional leadership of digital risk management through the creation of a Digital Center of Excellence (DCOE), which acts as a trusted strategic partner to help teams understand and embed new digital and social media technologies and programs safely and effectively. The DCOE provides digital leadership, oversight, training, best-in-class advice, communicate best practices. DCOEs provide frameworks to think and act comprehensively and collaborate and communicate across departments and functions. They are responsible for strategy/oversight/coordination across the organization. DCOEs set standards and best practices and oversee digital governance. Develop employee communications, training and enablement programs to help employees, management and senior leadership better understand, identify and manage these new risks.
To sum it all up, organizations can improve their digital risk management by focusing on people, process and technology. Senior leadership and boards need to better understand the evolving cyber risk landscape and the importance of protecting their organizations from digital and social media risks in addition to more ‘traditional’ cyber threats. Organizations must make training and education for employees a priority and consider creating a Digital Center of Excellence or Digital Governance Center to provide a framework to think and act comprehensively and collaborate and communicate across departments and functions. And organizations must make investments in new tools and technologies to proactively identify and manage advanced attacks delivered via email, social media and mobile apps. Organizations need to adopt a more comprehensive approach to risk management to address new threats coming from digital, social media and mobile. This can be accomplished through more effective collaboration between the growing number of departments and functions responsible for risk management, including not only IT, but also the digital and social media teams, compliance, marketing and others.
The growing number of cybersecurity risks and the expansion of responsibility for managing these risks beyond the IT department make it imperative that organizations rethink their approach to IT security for the digital age. Companies need to understand and address these new risks, including third-party, public and consumerized infrastructure, and internal and external threats.
Wishing you a successful, safe a secure 2019!