For digital businesses, these are challenging times. While digital technology often brings opportunities and efficiencies, it also brings risk—a lot of risk. Gartner, Inc. predicts that by 2020, 60 percent of digital businesses will have suffered a major service failure due to an inability to manage digital risk in new technology and use cases.
These circumstances apply particularly well to financial services firms who are revolutionizing their back office with Robotic Process Automation (RPA), or are digitizing their customer interactions through mobile payments and fully online management of services. Our paper, “Making Your Enterprise Cyber Resilient,” takes a look at the concerns facing banks and financial institutions. At the recent RiskMinds International conference I talked about the challenges facing banks and financial firms.
One of the biggest difficulties lies in finding a new way to respond to cyber risk. Often, financial businesses have focused on managing cyber risk as they would any catastrophic event. They envision a disaster scenario and prepare accordingly. The problem with this approach? There are some false assumptions at play. A cyber risk management plan that relies on the same backup and recovery plan as a natural disaster, or perhaps a terrorist attack, can quickly fail. Geographically dispersed backups of your data do not help if an active adversary is trying to delete them and they are connected online. For a cyber risk management plan, data should be separated in cyber space rather than physical space, with different passwords and encryption schemes.
Likewise, businesses often build their defenses anticipating a single, catastrophic event. Cyber attacks can be like that. But, unfortunately, they can also be more like a slow leak, with sensitive data dripping quietly away. Or, as I like to say, fighting cyber crime is more like keeping ants out of your kitchen than like keeping a criminal away. The key is this: Those ants may never be contained, but with the right strategy, they can be kept to a minimum.
Firms cannot protect themselves 100 percent of the time against cyber attacks. In our paper, we note that attacks are on the rise, and costs are rising too. We note that for financial enterprises, an attack is a matter of when, not if.
So what’s the answer? For financial firms, one step may be to revisit the evolving strategies around operational risk and compliance built over the past few years. As each of these approaches matured, businesses developed a more comprehensive, process-driven solution to address the issues at hand. They also became more effective at looking across functions and silos to address the highest risk processes.
We expect similar results, over time, when it comes to managing cyber risk. Even better, there are specific steps and actions firms can take now to begin managing cyber risk. Building resilience, versus seeking to manage all the potential leaks, is the essence of a solid approach. See my next post for how to begin.
 “Gartner Says 2015 Will See the Emergence of Digital Risk and the Digital Risk Officer,” Gartner, July 10, 2014.