DIGITAL TRANSFORMATIONManaging cyber risk
Jeremy Swinfen Green, Charlotte Childs07855 341 589
The risk from digital (computer) technology to
efficiency, revenue, profitability or existence
of an organisation
Managing cyber risksWhat is cyber risk?
Cyber risk Information risk
The IT departmentJust information Your organisation
Managing cyber risksA holistic approach
• The IT department • Just information • Your organisation
OutsidersInsiders
Inside outers
Managing cyber risksWho cause the risks?
• Outsiders: the traditional enemy• Insiders: the new enemy)• Inside outers: the hidden enemy
*Fines of up to 5% of global turnover?
Managing cyber risksYou can’t stop the hackers…
• So just protect the crown jewels*oPersonal dataoCredit card dataoStrategic information
Managing cyber risksInsiders – the biggest risk
• Losing devices that contain corporate information• Leaking strategic information accidentally• Stealing data for personal gain• Foolishly compromising log-in details
Managing cyber risksWhy do people show risky behaviour?
• Ignorance of the risk• Hard to use systems• Social pressure• Habit• Transferring responsibility• Belief• Personal
• Empower your communicationsoMultiple platformsoPersonalisationo Incentives (and sanctions)oChanges to the rules
Managing cyber risksAwareness is not enough
• Lack of knowledge• Lack of belief• Personal gain• Cognitive overload
Managing cyber risksUnderstanding motives
• Social or outside pressure• Fun and immediate gratification• Delegation – not my problem• I’m in control• Trusting other people• It won’t affect me (it never has before)• No one will know it is me so why should I worry
Managing cyber risks“Irrational” people
• Nudging• Anchoring• Present bias• Authority figures• Community action• Loss aversion
Managing cyber risksDealing with irrational people
• Bring your own device• Bring your own cloud• Internet of Things• Connecting outside the office • Disposing of devices• Social media risk
Managing cyber risksThink beyond the network
• Identify known risks; imagine unknown risks• Prioritise• Identify existential risks• Document• Review
Managing cyber risksIdentify the risks
• Prepare responses• Monitor for attacks• Educate staff • Test plans• Plan for after the incident
Managing cyber risksPlan for the inevitable
• Insurance costs• New business opportunities• Reputation• Employee morale• Avoidance of costs associated with risk events
Managing cyber risksIdentify the payback – but avoid FUD*
*Fear, uncertainty and doubt as a way of persuading people
• Holistic• Appropriate• Agile• Engaging• Led effectively
Managing cyber risksKey management concepts