NZ
25 Aug 2019
The 5 Personas Of Cyber Risk Management
Director advisory organisations from around the world have been singing from the same hymn sheet for several years – cyber risk is a key element to enterprise risk
Director advisory organisations from around the world have been singing from the same hymn sheet for several years – cyber risk is a key element to enterprise risk:
“Guidelines from the National Association for Corporate Directors (NACD) advise that Boards should view cyber risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyberthreats in the context of the organisation’s overall tolerance for risk.”
The New Zealand Institute of Directors have written a Cyber-Risk Practice Guide subtitled “Put cybersecurity on the agenda before it becomes the agenda”
The Institute of Directors in the UK agree “New reports of data breaches and instances of cyber crime appear each year, contributing to an annual loss of around five billion pounds for the UK economy. It is therefore more important than ever to address Cyber issues at board level in order to safeguard our businesses and employees.”
The Australian institute of Company Directors are on board too “Cybersecurity is a critical issue for boards and senior management. A cyber breach can impact your bottom line, brand and reputation. What can organisations do to address cyber risk and embrace opportunity through change?”
Governments too are the same recommendations for businesses of all sizes
The Australian Small Business and Family Enterprise Ombidsman provide the following advice:
“Develop a business-wide policy so everyone knows that cyber security is a priority, and so the business owners can be seen to be actively engaging with cyber security. If cyber security is thought of as a strictly IT issue, it doesn’t send the message that it’s a top priority, and won’t make your business or staff cyber secure. Because cyber attackers target people just as they target hardware, cyber security is for everyone at every level in the business. Establishing and communicating their responsibilities is vital to build a cyber aware business.”
The UK’s National Cyber Security Centre declares “Companies benefit from managing risks across their organisations - drawing effectively on senior management support, risk management policies and processes, a risk-aware culture and the assessment of risks against objectives. There are many benefits to adopting a risk management approach to cyber security”
Is this Advice being heeded?
To some extent, yes. However it is clear from the data and the headlines that the development of cyber responsible cultures, driven by the board has a long way to go.
Recent Breaches
New Zealand
- Kathmandu Holdings – Customer data lost, fraudulent transactions reported
- Cryptopia – hackers steal $20million in cryptocurrency
Australian Breaches
- LandMark White – major customer data breach
- Cabrini Hospital – medical records breached
US Breaches
- Marriott Hotels – millions of credit cards and passport details stolen
- Equifax - millions of credit records breached
So why are organisations not following the unanimous advice and taking heed of the data?
The experience that we have at Cybercraft has lead us in an interesting direction. From working with organisations of all sizes and natures, we have found that it is the attitude of key individuals toward cyber risk as being of key importance. From this, we have identified 5 cyber risk personas:
Persona |
Attitudes |
Comments |
Denier |
Does not See that cyber risk applies to them because they are:
|
Cyber risk is very egalitarian – much of cyber crime is perpetrated on small businesses who have not taken the risk seriously. On the internet, there is no such thing as too far away, and if you have information and a bank account, you are of interest. |
Abdicator |
Is vaguely aware of cyber risk, but assumes that the IT guys have it under control |
Cyber is “somebody else’s problem”. This lack of due care ensures that the real risks are not being addressed. |
Delegator |
Feels like they have things under control – they have told IT to make sure that they are secure, but do not take an organisational wide approach to cyber responsibility |
Without a considered risk appetite, robust policies and a supportive cyber responsible culture, even the best firewall and antivirus is of little use. |
Usurper |
This person may be inside the organisation, or outside such as a trusted business advisor. Without understanding cyber risk, they either tell the organisation not to worry, or prevent good cyber risk advice from being provided |
This person has taken the decision about cyber risk away for those who are directly responsible for it, i.e. the directors. They are making the call, without carrying the can. |
Engager |
Understands that cyber risk is enterprise risk. Drives a cyber responsible culture. |
Sees opportunity in being at the front of the pack. Cyber as part of the business strategy. Understands the ethical responsibility around holding data. |
Share this article
