14 Mar 2023
Too many organisations are delegating cyber risks to their IT providers. We are here to de-myth and debunk organisations understanding around cyber risk and how to properly manage their risks.
A recent phone call with a Group CEO, of a Business Advisory Organisation, went something like this:
“Hi Joe, it's Patrick from Cybercraft, just following up on my e-mail from a couple of days ago.”
“Refresh my memory, what was it about?”
“No worries, it was about Risk management.”
“Risk management, oh now I remember it was about Cyber….my IT department has that covered.”
“Are you sure Joe? Does your IT department have a Risk Management strategy in place? Have they got the bandwidth and budget to monitor and contain any risk?”
“My IT supplier handles all that stuff.”
“Not to sound pushy, I’m sure they provide a great service, but does your IT provider understand your organisations Risk Appetite? Do they have the expertise in Incident Response and Management?”
“My IT Supplier handles this!” Click…. End of call!
Looking back at this I realise that we were not on the same page to begin with. This CEO thought I wanted to speak to him about an IT issue, which he has delegated to his IT Provider and his IT team. I thought I was talking to the CEO about Risk Management, which is his and his board’s responsibility.
You see, for any organisation to be prepared for a Cyber Incident, the organisation needs to understand that Cyber Risk is not an IT issue. It is an issue that affects the entire organisation.
In New Zealand, over the past 20-plus years, organisations have embraced the concept that Health & Safety is not a HR issue, but impacts the entire organisation, with everyone having a very important role to play. Health & Safety is now incorporated into the organisations culture. In a similar way, organisations need to view Cyber Risk this way and adjust their culture to promote safe practices across the board. As organisations found out adjusting to the Health & Safety changes, an organisation cannot wave a magic wand and contract out their Risk Exposure, without taking ownership of it themselves.
One of the biggest issues facing any organisation is that their staff, especially Senior management and specialist staff are time poor, and adding extra tasks to their workload is extremely difficult. It probably means that priorities need to be adjusted, and there is a reality that some tasks may need to be re-assigned or even mothballed. To achieve this, organisations need to have a clear business case for their Cyber Risk Appetite with respect to their Cyber Risk exposure. As more of us are working mobile, and remotely we don’t want any business disruption. A cyber attack or breach will impact your organisation, clients and reputation. This is why it needs to be discussed at an Executive level.
Unfortunately, most IT departments and even IT Providers don’t have the bandwidth, specific experience, nor business expertise to deal with this. If you are unsure where to begin, why not reach out Cybercraft to discuss.
14 Mar 2023
Cybercraft's vision for a more inclusive future for women in technology on International Women's Day.Read more
14 Mar 2023
Valentine's Day raises the risk of online dating scams. Scammers use emotional manipulation and fake websites to trick victims into giving out sensitive information or financial transfers. Australia lost over $40 million to these scams last year, while 25% of Kiwis suffered financial loss.Read more
14 Mar 2023
Cybercrime is rampant, nearly everyone is aware of this – so why are business leaders trying to ignore it?Read more