Cyber risk management: Common issues in Asia

There is no doubt that the digital age provides immense opportunities for organisations to grow, become more efficient and revolutionise customer, supplier and staff relationships. Unfortunately, in the course of taking these opportunities they can make themselves vulnerable to cyber threats which are evolving and growing more dangerous. Cyber risks are a clear and present danger to any business ecosystem. The threats are dynamic, broad and sophisticated – traditional approaches to security are too narrow and flat-footed.

The majority of organisations still place the responsibility for managing cyber threats solely in the hands of their IT teams. To effectively manage cyber risk, organisations must be transformed from ones that are centred on security and technology to ones that combine these with business objectives, risk disciplines and cyber security expertise.

Cyber risk management issues in Asia

Cyber risk management is a complex challenge and requires strong executive management support. Its ultimate objective is to build cyber resilience, where an organisation’s systems and operations are designed to detect cyber threats and respond to cyber events to minimise business disruption and losses that include financial, regulatory and reputational).

In light of the significant differences within each organisation’s internal and external environment, there is no single solution to effectively manage cyber risks. However, there are some common cyber risk management issues that most organisations in Asia are facing today.

1. Cyber threats viewed solely as an IT issue rather than a business issue.
In most organisations, cyber risk is owned by chief information officers (CIOs) while cyber threats are managed by IT team, and it is still treated as an IT issue. PwC’s Global State of Information Security Survey (GSISS) 2016 results (Figure 1 below) also highlighted that more than half (52%) of chief executive officers (CEOs) in Asia do not consider cyber security as a top business risk. However, in the new reality, the damaging consequences of poor cyber risk management spill over to impact the entire business.

Figure 1. The role of CEO in Cyber security practice:
PwC Cybersecurity in Asia i

2. Lack of common processes and methodologies.
An organisation’s cyber threat-monitoring and analysis activities are often disjointed; for example, spread across multiple locations, maintained by different internal and external organisations, and hosted on multiple systems. This lack of coordination inhibits the ability to gather and manage cyber risk intelligence so as to recognise and rapidly respond to new threats in an evolving cyber security landscape.

3. Cyber risks flying below the radar of management.
The GSISS 2016 results show – as per Figure 2 below – that only 35% of Asian organisations’ boards actively participate in their cyber risk review. While many organisations have processes and controls in place to manage day-to-day operational risks, these often do not address cyber risks. Both operational risks and cyber risks share traits; they are hard to quantify, seem remote, and have a low probability of occurring. Typically, such organisations are designed to meet only minimum levels of regulatory or industry compliance, rather than to identify the risks to the business and implement appropriate safeguards.

Figure 2. Board participation in Cyber security practice.
PwC Cybersecurity in Asia ii

4. Inability to look at the big picture.
Existing security monitoring is largely focused on identifying and reacting to cyber threats in isolation. Traditional tools are only capable of identifying specific unusual patterns or traffic types and alerting operational teams when something outside the norm is happening.

5. Reluctance to share cyber threat intelligence.
When things go wrong, responses typically only address the specific problem at hand. Few attempts are made to check whether similar problems are occurring in other parts of the organisation or its peers. Often, organisations’ cyber defences rely primarily on data generated by internal monitoring rather than by reaching beyond enterprise boundaries to share insights and experiences with peer organisations.

6. Taking a one-size-fits-all approach.
Many organisations do not consider the value of different assets when planning their cyber risk management strategy – making it difficult to set priorities regarding the investment of resources.

What can be done?

Cyber risk is a business issue, not a technology issue. Cybersecurity needs to be an intrinsic part of any organisation and the executive management team needs to take ownership of cyber risk. Leading organisations in Asia are transforming their organisations from ones that are centred on security and technology to ones that combine these focuses with business management, risk disciplines and cyber threat expertise. The recommendations for executive management teams to build cyber resilient organisations are:

1. Establish cyber risk governance.
The foundation of a strong cyber-resilient organisation is a governance framework for managing cyber risks. This is established by deciding who will be on each of the teams, and setting up operating processes and a reporting structure.

2. Understand your cyber organisational boundary.
An organisation’s cyber vulnerabilities extend to all locations where its data is stored, transmitted, and accessed – by employees themselves, its trusted partners and its customers.

3. Identify your critical business processes and assets.
Organisations should determine what comprises their most valuable revenue streams, business processes, assets and facilities – referred collectively as “crown jewels”.

4. Understanding cyber threats from different sources.
Effective cyber risk monitoring focuses on building a sustainable and resilient approach to putting intelligence inputs from various teams under a common lens to quickly correlate threats in real time.

5. Improve your collection, analysis, and reporting of information.
Organisations should ensure their cyber risk operations team supports three primary functions to build robust cyber and technical threat intelligence capabilities. The three primary functions are: collection and management, processing and analysing, and reporting and action.

6. Plan and respond.
This step includes developing response playbooks, improving cyber threat intelligence gathering capabilities, leveraging cyber insurance options, and upgrading cyber security technologies overall.

These recommendations, if properly implemented, will significantly boost every organisation’s cyber security. The first step of any cyber security journey lies in making sure that management and every level of the organisation takes ownership of the necessary tasks as a shared issue.


Related reading