To fend off cyberattacks requires more than the best anti-virus technology — it also demands a shift in culture.
Research shows that while technology may be necessary to keep malware, viruses and other forms of electronic intrusion at bay, it is insufficient. That is because the weakest link often turns out to be people who are either careless or not properly trained in cybersecurity processes.
For example, ransomware — malicious software that encrypts files and then demands payment before restoring the data — is usually introduced into an organization's computer system when an unsuspecting employee clicks on a link embedded in an email that is thought to be legitimate. In November 2015 the U.S. Federal Financial Institutions Examination Council warned banks about a continued sharp rise in cyberattacks using this type of malware.
Ransomware is but one example. User error, loss of equipment, insider sabotage, spam and phishing — these are all examples of how even the best software cannot protect a company or government department if its employees fail to stick to the rules. The role of human beings in cyber risk is so significant that PwC, a leading consultancy, reported in a 2015 survey that employees are the most-cited culprits of information-security incidents.
It is true that technology can mitigate the risk of human error through the use of warning signals, passwords and other security devices. Yet any chief executive who assigns total responsibility for managing cybersecurity to the technology or IT department is taking a big risk.
So how can we address the risk posed by careless, badly trained or malevolent people? First and foremost, develop and instill a strong risk culture in your organization.
The Financial Stability Board, a body that monitors and makes recommendations about the global financial system, said that a shared understanding of an organization's risk culture is "crucial" so that everyone knows what behavior is expected of them.
According to the FSB, a strong risk culture begins with a senior leadership team that is transparent and open to criticism, has documented all risk management responsibilities and encourages the desired behavior. The culture they instill guides the behavior of colleagues throughout the organization so that it becomes second nature for everyone to act in ways that help mitigate cyber risk.
This requires the establishment of a robust governance structure that sits atop the many silos of a large bank. Among other things, this structure should include a cybersecurity orientation program for new hires (including board members), an internal control framework, an annual testing and certification process for employees and an incident reporting system.
It should also involve constant attention to the policies, procedures, standards and guidelines demanded by an effective cyber-risk strategy. In other words, it demands employees obey the rules. But it also means more than that. Senior executives must set an example through their own behavior. Developing and integrating an appropriate risk culture should be an important corporate governance goal, not just for senior executives but also for the board of directors. It's vital to set the tone right at the top. Cybersecurity messages must be repeated, and there must be a way of measuring implementation of the rules so that weak spots can be quickly identified.
The human resources department can — and should — play a key role. HR should partner with senior management and the board to identify the drivers of people risk. Then they should draw up a plan to correct shortcomings. That plan should be cemented into the corporate culture through a companywide transformation program. Some organizations see this as a training activity. However, a coordinated response to one of the biggest risks that a bank faces needs to have a higher priority than, say, a one- or two-hour training course.
Developing a risk culture can be costly and time-consuming. But the effort is sure to be worthwhile. An effective risk culture can boost productivity and have a positive effect on earnings and on the value of the organization. It's not hard to imagine that a tightly integrated risk management strategy could become self-funding as the potential benefits start to match the costs.
As the new cyber-risk culture takes hold, every person in the organization — no matter what their job — becomes a line of defense, not only against cyberattacks but against business risk in general. That benefit alone is a commanding reason to develop and integrate a risk culture into your organization.
Chami Akmeemana is managing director of global markets at the Global Risk Institute, which does research into best practices in financial industry risk management. Guy Pearce serves on the Board of the International Institute of Business Analysis and is a consultant specializing in strategy, risk, data and technology.