by Malcolm Marshall

E-crime risk management still a DIY job

Sep 22, 20114 mins
IT LeadershipSecurity Software

Recent cyber attacks against large organisations have brought e-crime risk rapidly to the top of the board agenda. According to our latest e-crime study e-Crime Report 2011, the threat level for businesses is also growing swiftly.

And yet the research showed that businesses are shunning e-crime insurance.

Only around quarter (27 per cent) of security professionals said they have taken out insurance against interruption of business by hackers and e-crime-related data loss.

Many don’t yet know of, or understand, what insurance is available. Many are also sceptical about the effectiveness of current policies and whether insurers will actually pay out against e-crime claims.

Though this may appear reckless, it is understandable.

Recent occurrences have seen e-crime insurance fall well below what today’s businesses require.

It seems that the evolving threat profile and inherent unpredictability of the potential financial effects of e-crime have left the industry behind the curve.

Punishing idleness While policies race to catch-up with today’s needs, organisations must not be idle. There is much that should be done to protect against and mitigate the impact of e-crime.

Worryingly however, our study also found that half (49 per cent) of businesses still lack clear strategies for dealing with e-crime risk.

As the threat landscape continues to evolve, this lack of strategy needs to change, as does the traditional approach to IT security.

Ensuring the continuity of business operations and protecting sensitive data is no longer just about how much is spent, but whether one understands the risk profile and spends effectively.

Over the past few years, big changes have occurred in the cyber threat landscape. Recent incidents demonstrate the serious implications of evolving hacktivist and state sponsored cyber attackers for all industry sectors

Raising the stakes What’s at stake is now sufficiently important that the definition of strategy and investment needs to sit with the board. The level of investment needs to reflect business appetite for risk and support business goals.

Cyber defence should also no longer be thought of as just a security or a technology issue. It is at the very heart of how a business builds trust with customers, as well as how it builds and protects brand value.

Despite having to deal with constantly evolving risk, information security strategies should still be based around a common framework that addresses prevention, detection and response.

However, strategies must be structured so that they are sufficiently flexible and agile to adapt as circumstances change.

Planning for change Threat modelling, risk assessment techniques and an understanding of the threat landscape should be incorporated to provide intelligence that can ensure available resources are targeted at the right areas.

It is increasingly difficult to predict the nature and severity of attacks.

– Testing and updating incident response capability to make sure it is fit for purpose is therefore vital. There is no point putting your seatbelt on after the crash has happened – Effective risk and security management frameworks need to be corporate-wide, proactive, forward looking and have board-level engagement – E-crime risks should also not be viewed in isolation, but considered alongside the other risks an organisation already monitors

By looking at all risk through the same lens, resources will stretch further, whilst the likelihood of problems falling through gaps between processes will also reduce significantly.

Approaches that attempt to measure and manage risk in silos will undoubtedly fail.

A successful strategy requires risk, security and technology teams to work alongside their colleagues in sales, legal, fraud prevention and crisis management functions, as well as those in charge of procurement, marketing and press relations.

A complete e-crime strategy is truly the best insurance today’s organisations can hope for.

Malcolm Marshall, UK head of Information Protection, KPMG

Pic: m thierrycc2.0