Return to Search

Join our mailing list

Sign up to our free mailing list to stay updated on the latest from the IRM.

Subscribe Now

View from the Chair: Does your organisation behave in a risk intelligent way?

There is certainly never a dull moment in Westminster. After a series of scandals that culminated in the departure in September of Boris Johnson from Downing Street, and the subsequent appointment of not one, but two new prime ministers since, the furore surrounding Suella Braverman’s on-the-go Gmails may seem like small fry in comparison. 

Events of the last few years have shown the truth of Murphy’s famous first law: ‘Anything that can go wrong will go wrong’. It’s sometimes extended to add: ‘…and at the worst possible time’.  

Despite this, many organisations are not adequately prepared for even the most predictable of risks. High on the list of known threats that people and organisations still don’t take seriously enough is data security. Despite high levels of awareness, many organisations lack the preparation needed to be able to manage defences or respond to cyber-attacks and other digital risk events in a robust way.  

It’s not that organisations don’t have good data resilience and cyber infiltration practices – nearly all do. Often, it’s how robust those approaches are in anger and how well they are supported by staff discipline and care. It may be acceptable to lead on technology as your primary defence, as long as you are also focusing on risk-intelligent behaviour and effective business practices – the human factor, essentially.  

Internal lapses in common sense practices around data security and device protection remain a major source of access for attack or infiltration. This is particularly the case for high-risk targets with access to valuable information.  

If these individuals share business content to personal emails or WhatsApp groups, open emails from unknown but superficially credible sources, or use personal mobile phones for work, this all exacerbates the ongoing risks.  

Part of your strategy should address these cultural weaknesses around security. The important thing is to recognise these aren’t risks worth taking. There’s no business benefit from these high-risk activities that means there’s a trade-off that may create value – these behaviours are simply straightforward bad practice.  

A good place to start is by reviewing your internal cyber risk management procedures and identifying the opportunities for potential breaches. You will then want to work out how to address these risks. This will certainly include cyber risk mitigation tools and approaches such as zero trust, but you must also strengthen proactive defences and double down on staff education, awareness and understanding of best practice in protecting confidential information.  

The IRM can help you think through how new technologies and digital disruption are changing the risk environment and posing new challenges. Its Digital Risk Management Certificate, developed with the University of Warwick, gives insights into the causes, consequences, and potential impact of digital disruption on your business. The Cyber Risk Resources for Practitioners guide helps risk professionals and senior executives demystify cyber risk as an issue, and the Cyber Group provides a professional community that collaborates to address and integrate cyber risks into organisations’ overall risk approach and activities.  

Focusing on the human factor is one of the best ways to build your cyber-attack defences. Well trained and disciplined staff will be aware of the changing risks and threats your business faces and learn to behave in a risk intelligent way. 

 

Stephen Sidebottom, IRM Chair

Posted in News item

Related