Why are so many organizations exposed to cyber risk?

blog_swimmerAccording to the Institute of Risk Management, cyber-risk is “any risk of financial loss, disruption or damage to the reputation of an [organization] from some sort of failure of its information technology systems.”

And it’s a big problem—some might say the problem of our age.

Allianz Global estimates the annual cost of cyber-crime to the global economy at $445 billion—with $200 billion of that cost borne by the US, China, Germany and Japan alone.

So why do so many organizations ignore it, burying their heads in the sand instead of confronting cyber-risk head-on and developing the resiliency that will protect them?

Accenture offers four challenges they say many organizations face:

  1. Insufficient business involvement. It’s all too easy to dismiss cyber-risk as something that only IT needs to worry about—the responsibility of the information security team or the CIO. But the truth is risk belongs to everyone. Companies, Accenture says, need to view risk as a whole-business issue and manage it accordingly.
  2. Despite the fact the entire business should be involved, risk needs to be owned by one division or area in the business. But if that owner is cut off from the rest of the business–for example, in a risk management team that has no seat at the executive table—approaches to cyber-risk can suffer from limited visibility.
  3. Over-reliance on changing human behavior. Accenture calls the human element “the weakest link in cyber-resiliency.” Why? Most organizational risk programs focus on using training and communications to change the way people act around risk. But an all-company email educating staff about phishing won’t cut it… Yes, many cyber-attacks are successful because they exploit human weaknesses, but a robust security program should be stopping attacks before they have a chance to get to employees.
  4. Talent issues. Some organizations are faced with trying to hire executives who are either great at IT or great at other business functions—not both. Increasingly, however, cyber-risk will demand talent that can put a foot in both camps.

Cloud computing, the Internet of Things, social media… Technology opens new vistas, but with that promise comes greater cyber-risk. The smart organization would be wise to think differently about risk—and about how to make themselves more resilient.