Cybersecurity risks loom large in the risk management process. ERM principles and best practices have been found to boost the robustness of organisations’ cybersecurity and overall technological resilience. This is particularly important in view of the growing number and levels of sophistication of cyberattacks. Very often, the ripple effect and consequences of breaches can linger and recur, if organisations are unprepared to deal with this kind of disruption. No system is safe; just having an online presence nowadays is enough to invite an intrusion. Even more troubling is the possibility that hackers may have compromised the system for the long term.
There have been instances where hackers were in a system for more than a year before their presence was realised. Hacking has now become so advanced that it is no longer carried out by humans; hacking attempts today are more likely to have originated from another machine, not a person. What is even more alarming is the possibility that an organisation’s systems may not be the intended target. These systems become collateral damage as a result of the hacker attempting to access or disrupt some other platform with a more larger agenda, possibly nationalistic or cyber terrorism driven. But there is very little comfort in knowing that when your business has been affected and you’re having to deal with the fallout.
Cybercrime is historically, essentially, opportunistic crime. Hackers or cyberattackers search for vulnerabilities in systems, most often with the aim of gleaning information which they can profit from. These intrusions are covert and may go undetected for very long periods; attackers may even hack a system, then leave a “back door” so they can get back in at their convenience, without the organisation even realising it has been hacked. This is particularly dangerous because backup systems may have been compromised as well. When the main system goes down, the backup system may not be able to function or may have the same contaminated files.
It is therefore insufficient to merely back up files. The IT function has to ensure their integrity as well; this has to be an ongoing activity. One way of ensuring an organisation’s systems can withstand a cyberattack is to have a penetration test that is controlled independently by the Board. This will identify the vulnerabilities present in the systems. Organisations should be aware that no system is impenetrable; it is only a matter of time before their systems are breached. It also depends on how determined cyberattackers are. With this in mind, what can organisations do to protect their systems and the integrity of their data?
Awareness is crucial. They should be aware that there is always the possibility of systems breaches or hacking. All intrusions should be reported to both the Board and the authorities as these may be indications of something larger and more extensive; the breached systems may just be collateral damage. Organised crime has been found to be behind many cyberattacks, which point to the possibility of intrusions as attempts at illegal transactions or money laundering. Breached systems are often used as conduits for the sale of drugs or arms. The IT and cybersecurity departments of companies should always be on their guard, and be able to identify any irregularity in system use or activity.
It is the responsibility of the IT and cybersecurity departments to ensure that antivirus measures and firewalls are up to date. Backup systems should also be fit for service at a moment’s notice; this includes updated documents and confidential data that needs to be integrity-assured. There are also times when cybersecurity needs to be tightened, and IT needs to be on its guard. For instance, if there are labour disputes or when the organisation is undergoing restructuring, redeployment of staff may mean a change in people accessing the system. This is an opportune time for hackers to enter and, under cover of uncertainty and an unsettled environment, “live” in it for an extended time.
What should organisations do to decrease the disruption and damage that cyberattacks can wreak on their systems? Most already have firewalls and other security measures in place to secure their systems as best they can. But they should have a firm policy – a cyberstrategy – that clearly outlines what steps to take in the event of a breach, and how the systems are to be recovered, so that business will be able to carry on without being too badly affected. Many firms are unaware of breaches until notified by a third party, which can be embarrassing and affect their reputation. It is worthwhile therefore to be extra vigilant.
Considering that the volume of online business is growing by leaps and bounds, it is likely that companies will be increasing their virtual presence in tandem and leveraging increasingly on technology to try and maintain their competitive edge. The possibility of hacking, systems breaches and cybercrime can be expected to grow in parallel. The more dependent a business is on its online presence, the more vulnerable it will be to breaches. Any incident is likely to cause a major disruption from which it may be difficult to recover. Cybersecurity is essentially about detection and prevention, and making it difficult for hackers to break in. It is never a good idea to stinge on it. Resources expended on cybersecurity may well be one of the firm’s best investments ever!
