Breaking barriers: risk managers and information technology managers need to work together to protect their companies from cyber-crime. (Cover Story: Risk Management).Cyber-crime is the buzzword A term that refers to the latest technology or a term that sounds catchy. If not a flash in the pan, new technologies become mainstream. For example, Java was a hot buzzword in the 1990s, but should remain a major topic for decades. permeating per·me·ate v. per·me·at·ed, per·me·at·ing, per·me·ates v.tr. 1. To spread or flow throughout; pervade: "Our thinking is permeated by our historical myths" U.S. businesses today. More and more companies are facing security breaches that, in some cases, threaten their very existence. Results of the '2002 Computer Crime and Security Survey" by the Computer Security Institute and the FBI showed that 90% of respondents--primarily large corporations and government agencies--detected computer security breaches within the past 12 months. Eighty percent acknowledged financial losses due to computer breaches, and 44%, or 223 respondents In the context of marketing research, a representative sample drawn from a larger population of people from whom information is collected and used to develop or confirm marketing strategy. , who were willing and able to quantify Quantify - A performance analysis tool from Pure Software. their losses, reported $456 million in financial losses. The St. Paul St. Paul as a missionary he fearlessly confronts the “perils of waters, of robbers, in the city, in the wilderness.” [N.T.: II Cor. 11:26] See : Bravery Cos. also released an independent study in 2002 about the preparedness pre·par·ed·ness n. The state of being prepared, especially military readiness for combat. Noun 1. preparedness - the state of having been made ready or prepared for use or action (especially military action); "putting them of U.S. companies to deal with cyber-risk issues. The survey found a lack of communication and collaboration Working together on a project. See collaborative software. between the information technology and risk management departments-a big stumbling block stum·bling block n. An obstacle or impediment. stumbling block Noun any obstacle that prevents something from taking place or progressing Noun 1. to the proper management of cyber-risks. Although cyber-crime may be the buzzword, businesses don't don't 1. Contraction of do not. 2. Nonstandard Contraction of does not. n. A statement of what should not be done: a list of the dos and don'ts. talk much about how to manage this risk. View From the Enterprise To have the most success in managing and containing cyber-risk, companies should employ an enterprise wide approach to risk management. Many businesses guard against cyber-risk exposures by relying primarily on "black-box" technology tools and solutions. For example, companies might purchase and update firewalls, routers, secure servers and anti-virus software anti-virus software n → Antivirensoftware f to protect themselves from the risks that technology creates. While these technology tools are critically important, they are only part of a total cyber-risk management program. A company must shift its thinking from a "black-box" approach to an enterprise wide approach to best address its cyber-risk exposures. There are three key principles to this approach: * The integration of IT management and traditional risk management with respect to cyber-risks; * Senior-level management involvement in and commitment to cyber-risk management; * Advocating employee awareness and employee training programs at all levels of the company Companies will probably differ on the implementation of these principles, depending upon their size and their business strategies. Commitment to and implementation of these principles, however, should be ongoing. Insurance companies also should evaluate and manage their own cyber-risks and consider implementing an enterprisewide approach to risk management. Although this type of risk management approach is gaining popularity among insurers, it is not yet widely used. Many insurers have begun to recognize that their policyholders are not properly managing cyber-risk exposures. One way to combat this problem is to educate policyholders and agents and brokers on the importance of an integrative, enterprisewide risk-management approach. A United Front An enterprisewide approach to risk management seeks to break down the traditional barriers that exist between IT management and risk management. In most companies, these two departments operate independently of one another. The IT department focuses on the day-to-day day-to-day adj. 1. Occurring on a routine or daily basis: the day-to-day movements of the stock market. 2. operations to ensure that the company s IT systems function smoothly. Risk managers focus on issues such as worker safety, vehicle safety, product liability and recall matters, insurance programs and employment-practices concerns. Historically, risk managers tend to view the understanding and management of cyber-risk as the responsibility of the IT department. As a result, risk managers and IT managers miss potential opportunities to work together on the topic of cyber-risk. An enterprisewide approach to risk management calls for committed and regular collaboration between the two areas. This collaboration involves the following: * Identification of the company's specific cyber-risks; * Selection of technology-based tools and resources to manage those risks; * Selection of nontechnology tools and resources to educate all company employees; * Implementation of the chosen risk-management strategies; and * Forecasting new risks the company will encounter as business practices and strategies change in the future. Because IT managers and risk managers have different jobs, training and reporting responsibilities, they must develop a better understanding and appreciation of each other's jobs and pressures. A good relationship involves mutual understanding and appreciation for their primary roles, as well as a commitment to collaborating on common goals. Twenty-first century business risks do not respect traditional corporate boundaries. Collaborative work to identify and manage ever-changing technology risks is the best way for IT managers and risk managers to get their jobs done. A good relationship between IT managers and risk managers helps ensure that the company's expertise is channeled toward the goal of protecting the enterprise against losses. Senior-Management Commitment Typically, the senior management of most U.S. companies are not involved in their companies' cyber-risk management. But, their involvement and commitment are essential to making the process work. By helping to better identify and manage risks, businesses can better protect themselves against risks that could have devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. consequences. Few companies buy specific cyber-risk insurance products, and those that haven't, might find that a catastrophic cyber-event is uninsured. Unfortunately, it often takes a well-publicized catastrophe Catastrophe, from the Greek Καταστροφή (katastrephein), literally means "to turn" (strephein) "downwards" (kata-). , such as the "I Love You" and "Melissa" viruses, to bring about a change in how business is done. It's been said for years that companies should develop and test disaster-recovery plans. Yet, the events of Sept. 11 revealed that some companies had failed to test their disaster-recovery plans--only to learn at the moment of implementation that problems existed. Insurers can encourage their policyholders to implement enterprisewide risk-management strategies by increasing public awareness of cyber-risks; educating IT managers and risk managers about cyber-risks and stressing the benefits of integrated approaches; instructing the companies' insurance agents and brokers to focus on the issue; and scrutinizing management practices. Benefits from these up-front investments will result in a fundamental return--even though quantifying this return is not always easy. The CSI CSI Crime Scene Investigator CSI CompuServe, Inc. CSI Commodity Systems, Inc. CSI Commodity Systems Inc. (Boca Raton, FL) CSI Crime Scene Investigation (CBS TV show) CSI Christian Schools International and FBI seek to quantify company losses by conducting annual surveys about computer security breaches. Over the years, the Years, The the seven decades of Eleanor Pargiter’s life. [Br. Lit.: Benét, 1109] See : Time CSI/FBI surveys show that both the number of cyber-risk losses and their financial impact are on the rise. Development of a cyber-risk management strategy can help to minimize potential financial losses. Employee Training Essential While it's important that IT managers and risk managers forge forge Open furnace for heating metal ore and metal for working and forming, or a workshop containing forge hearths and related equipment. From earliest times, smiths (see smithing) heated iron in forges and formed it by hammering on an anvil. a better working relationship and that senior managers commit to implementing an enterprisewide approach to risk management, it's equally important that all employees receive training on understanding and identifying cyberrisk issues. Employees are a company's frontline front·line also front line n. 1. A front or boundary, especially one between military, political, or ideological positions. 2. Basketball See frontcourt. 3. Football The linemen of a team. defense against cyber-risks. The recent survey conducted by St. Paul Cos. about cyber-risks showed, however, that employees--often those who handle sensitive data or have access to corporate resources and databases--get low marks for understanding Internet Internet Publicly accessible computer network connecting many smaller networks from around the world. It grew out of a U.S. Defense Department program called ARPANET (Advanced Research Projects Agency Network), established in 1969 with connections between computers at the risk. Employees need to be educated about cyber-risk issues. The St. Paul survey found few companies have developed employee awareness and training programs for Internet risk. Now, more than ever, companies should see that all employees are armed with the proper tools to deal with these risks. Training programs should cover areas such as proper Internet and e-mail usage, password use and management and workstation security and access control. Use an Enterprisewide Approach So, how should businesses establish an enterprisewide approach to risk management? The following steps are important: * Senior management needs to take an active and continuing role in directing the identification and management of cyber-risk. * Senior management should set the expectation that corporate groups will systematically work together to identify and manage cyber-risk by setting up in-house In-house In the context of general equities, keeping an activity within the firm. For example, rather than go to the marketplace and sell a security for a client to anyone, an attempt is made to find a buyer to complete the transaction with the firm. committees to work on these issues. * Senior management and chief financial officers should consider sharing certain portions of IT, risk management and insurance budgets to create a broader and more effective approach to risk identification, management and transfer. * Corporate communications Corporate communications is the process of facilitating information and knowledge exchanges with internal and key external groups and individuals that have a direct relationship with an enterprise. or public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most departments should work with IT and risk management departments to understand potential cyber-risks and to develop response plans in the event of a cyber-incident. Fighting for Future Protection There's no doubt insurance cover-ages should and will play a greater role in the management of cyber-risks in the future. The federal government, in its 2002 draft report on the "National Strategy to Secure Cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 ," calls for the development of a bigger marketplace for insurance products to protect companies from cyber-risks. Insurers support this recommendation. Risk transfer through insurance is not enough, however. Companies need to implement an enterprisewide approach to risk management. By bringing all parties to the table--IT, risk management and senior executives--businesses will have taken an important step toward fighting cyber-crime. Bill Rohde is president of Global Technology Underwriting Underwriting 1. The process by which investment bankers raise investment capital from investors on behalf of corporations and governments that are issuing securities (both equity and debt). 2. The process of issuing insurance policies. for The St. Paul Cos., St. Paul, Mtnn. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion