Cyber Risk Management: Awareness alone is not enough

Supervisory bodies are increasingly required to fulfill their legal control and supervisory duties also in dealing with cyber risks, according to the findings of a new study on dealing with cyber risks in companies. In addition to the legal obligation, there are also good reasons from a business perspective to invest in cyber risk management, according to the study, which was conducted by the Lucerne University of Applied Sciences and Arts together with the insurer Mobiliar and the business umbrella organization economiesuisse. After all, cyberattacks could cause considerable damage to organizations, which in the worst case could mean heavy fines, a severe loss of reputation, the withdrawal of operating licenses or bankruptcy.

A ship without a captain: lack of statements on cyber risk readiness

According to the study, many companies seem to lack a central foundation for managing cyber risks: None of the organizations surveyed explicitly defined the extent to which cyber risks should be consciously taken in order to achieve business goals. "From a risk management perspective, it's comparable to a ship that doesn't have a captain," says Stefan Hunzikerauthor of the study and head of the Risk & Compliance Management Competence Center at the Lucerne University of Applied Sciences and Arts. Apparently, the development of so-called risk appetite statements causes great difficulty in practice.

The HSLU study further shows: In dealing with cyber risks, there is a gap between the technical IT infrastructure level and the organizational level. "Cyber risks are still understood too strongly as a purely IT issue. Accordingly, they are managed in a decentralized and operational manner and are not integrated enough into enterprise-wide risk management," explains Hunziker. Here, a discrepancy between the relevance of risk (awareness) and "risk governance" can be observed. "This circumstance prevents a consistent comparison - and thus also a meaningful prioritization - of cyber risks and other risk categories at top management level," says the expert. As a first step in the right direction, he recommends fostering collaboration between the chief information security officer (CISO) and risk manager. "Because this is primarily where the bridge is built between technical cybersecurity and business risk management," Hunziker says.

People" as a risk factor: additional investments required

Often, the simplest and equally effective measures for dealing with cyber risks are still neglected. Stefan Hunziker: "The definition of cyber risks may therefore also be somewhat misleading, as many causes of risk are not to be found in cyber space, but in human misconduct." The analogy with medicine is helpful: there, it has long been known that correct human behavior prevents the transmission of diseases. Regular disinfection, disciplined hand washing and keeping a distance have been established behavior - at least since the outbreak of the Corona pandemic. The present study confirms that the "human factor," or human behavior, is still too little addressed in the area of cybersecurity compared with technical measures. "The 'human factor' makes up only one element in the continuous improvement process of cybersecurity, but it is a very important one," Hunziker said. Human behavior in dealing with cybersecurity should be trained so that it becomes as natural and "normal" as sneezing into the crook of your arm.

Cyber Risk Management and Cloud Migration

Many cyber risks are caused by cloud usage. This makes it all the more important for organizations to plan their move to the cloud well and accompany it with appropriate measures. "The creation of a clear strategy is at the very beginning of a well-planned migration to the cloud," says Armand Portmann, author of the study and head of Information & Cyber Security | Privacy at the Department of Computer Science at the Lucerne University of Applied Sciences and Arts. Fortunately, the majority of the organizations surveyed have such a document, which describes the framework conditions for the introduction and use of cloud services. This allows the conclusion to be drawn that the topic of cloud computing now also enjoys attention in the management bodies. "There is an awareness that the use of cloud services is associated with risks," says Armand Portmann.

When it comes to naming the risks that arise when using cloud services, however, the organizations surveyed are not at a loss for answers. "Among the top three are loss of confidentiality, or breach of data protection, dependence on the cloud service provider and questions of liability," explains Fernand Dubler, author of the study and research associate at the Lucerne University of Applied Sciences and Arts. The topic is complex. Therefore, he says, it is not surprising that the measures needed to mitigate these risks are not straightforward. Dubler adds, "These measures are extremely diverse and must be developed individually from the specific outsourcing situation. This often poses very significant challenges for the organizations concerned."

Source and further information: Lucerne University