Cyber risk has risen up the agenda in recent years, especially because of the focus on digitalisation during the pandemic. The new and emerging technologies of Artificial Intelligence (AI) and Large Language Models (LLMs) offer – or threaten – even greater risk and reward.
McKinsey lays out the dangers of the current risk environment, saying that, “On top of public health and environmental pressures, organisations are subject to many business challenges, social uncertainties and geopolitical tensions. The disruptive currents include accelerating digitalisation, cyberthreats, inflation and price volatility. The dynamic pace of change makes disruption hard to predict, even as they grow in severity and frequency.”
While it cites digitalisation and cyberthreats as potential risks, it must be acknowledged that technology also has a dual role to play as potential risk mitigator. Modern intelligent predictive software, machine learning models and digital twins can help organisations to build foresight and risk modelling capabilities.
Furthermore, technology can also be applied to address specific risks. McKinsey cites the example of one global company that applied next-generation AI technology during the pandemic to monitor and identify unusual ordering patterns during the pandemic and respond accordingly. In this way, advanced technology mitigated the uncertainties, enabled the fulfilment of customer orders and protected the organisation’s reputation.
McKinsey identifies six types of business risk: business model, reputational, organisational, operational, financial and technological. To counter the threat of technological risk, firms must build technological resilience, it argues.
It defines technological resilience thus: “Resilient firms invest in strong, secure and flexible infrastructure to manage cyber threats and avoid technology breakdowns. They maintain and make use of high-quality data in ways that respect privacy and avoid biases, compliant with all regulatory requirements. At the same time, they implement IT projects both large and small – at high quality, on time, in budget and without breakdowns – to keep pace with customer needs, competitive demands and regulatory requirements. If something does go wrong, they maintain robust business continuity and disaster recovery capability, avoiding service disruptions for customers and internal operations.”
However, there are challenges to developing this resilience.
According to McKinsey, they are concentrated in four main areas:
The UK’s National Cyber Security Centre (NCSC) has published an eight-step cyber security risk management framework to help organisations identify cyber risk and build technological resilience. The framework is based on IEC 27005. It is designed to help you understand what a good approach to risk management looks like for your organisation.
The eight steps are:
For smaller businesses or organisations which are new to risk management, the NCSC directs you to its basic risk management assessment and management method. It is designed for organisations with very simple requirements.
If you need help working through these risk management frameworks or using any of the cyber risk toolkits provided by the NCSC, we recommend that you work with your IT partner. Ideally, you should schedule regular board-level meetings with your IT and cyber security partner to develop and maintain an action plan on managing cyber risk and continually improving your cyber security posture to meet the risks of the continually evolving risk environment.
It’s clear that, in today’s digital world, cyber security must be a board-level consideration. Working with a strategic partner with deep expertise in cyber security is a good starting point.
If your IT company isn’t working with you strategically and proactively to identify and address cyber risk, it might be time to look for a new IT partner.
If you’d like advice or support on any of the topics discussed in this blog, please reach out to our team.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
Further reading
You can find more information and insights about cyber risk and cyber security elsewhere on the Grant McGregor blog:
• New changes to Cyber Essentials for 2023
• Is your business data at risk? Don’t take chances with old tech!
• What is a watering hole attack? And how can you protect against it?
• AI’s new role in cyber security
• Is your organisation doing enough on supply chain security?
• What can we learn from the Capita data breaches?
• Do your backups include this important information?
• Tips for successfully implementing a zero-trust approach to cyber security