Boards must evaluate their corporate readiness for cyber-attacks

Organizations can combat cyber threats by building a robust framework for cyber governance. Boards, managements and CFOs need to not only devote more attention to this ever increasing risk, but also evaluate their corporate readiness for such attacks.

Situation: You log on to the internal portal to extract some report and to your surprise the system is down.  Your IT Helpdesk too is unaware and not helpful. The Chief Information Security Officer of your company happens to be a close colleague and you make a random call enquiring about the system outage. Boom! You’ve been attacked, cyber-attacked.

In today’s times, cybersecurity is not just a technology issue. It is a business risk that requires an enterprise-wide response. Rapid technological advancements have turned security on its head and fundamentally transformed the way security was being looked at.
Cybersecurity, and the importance of senior management and board engagement on the issue, has been generating a lot of discussion lately. The wave of security breaches hitting leading organizations across sectors has made it clear that no organization is immune from this threat.

A new trend has recently emerged — we are not attacked for who we are, but what we can give access to. The challenges faced today have altered expectations, strained resources, and caused a paradigm shift in information security.

Organizations can combat cyber threats by building a robust framework for cyber governance. Boards, managements and CFOs need to not only devote more attention to this ever increasing risk, but also evaluate their corporate readiness for such attacks.
EYs Cyber Resilience War Game takes its participants to the simulated world of cyber-attacks, stress testing organizations’ incident response plans and identifying strengths and weaknesses of their communications, protocols, and cyber disaster preparedness. The War Game also helps in flagging off key concern areas that require more training and development. During a crisis, collaboration may have to give way to command: one key takeaway that EY intends to drive through its Cyber Resilience War Game.

The CXOs are given a breach scenario customised to their respective industry and are sporadically hit with new situations and information – media reports, competitor statements on news forums, public panic through news from social media, messages from law enforcement agencies, regulators, government authorities, police, request from the Chairman, board, etc. The pace is quick, engaging and ever bothering.

EY has successfully completed these Cyber War Games with India’s top 79 CEOs, leading companies across sectors like e-commerce, technology, consumer products and also at the Parliament for a select few MPs. In the war game simulation, it is more often the CEO who takes up the role of a ‘Crisis Officer’ though unprepared in directing the response management. It is only post the War Game, organizations realise the importance of having a Chief Risk, Reputation and Crisis Officer. Of course, not all companies can afford to have someone designated exclusive for this. But whoever they are, they have to be given the authority, and it has to be clear.

What makes EY’s Cyber War Game unique is the way they conclude the session. For each situation, answers from CXOs are crowd sourced live and captured on a ‘mind-map’. Post the session the mind map is blown in full proportion and gives a bird’s eye view organizations’ incident management response. This mind map works as ready reckoner for the CXOs by the CXOs which can be used in real life threat scenarios.

Key takeaways from Cyber War Game:

You’ll never have enough time: Even top executives with years of experience in managing crisis aren’t always prepared to handle cyber incidents.

Sought help: The CFO and CMO wanted to hire a crisis communications specialist. The CISO wanted invest in new network monitoring and behavioural analytics tools. The CEO ignored the usual procurement requests to acquire whatever they needed in the crisis circumstance.

Don’t forget about your employees: While everyone is firefighting with external agencies, organizations often forget to communicate about the cyber-attack situation to their own employees.

Cyber War Game is not just a one-time activity: People come and go, strategies change, but in the end practice makes perfect.

The article first appeared in computerworld.in

Follow us @EY_India and Subscribe to the blog .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s