Skip to main content

Article

Fundamental considerations for building cyber risk resilience

Cyber risk remains real – and ever-present – so this Cybersecurity Awareness Month provides an opportunity to implement key measures that can make a material difference in your road to resilience.

Cyber risk remains real – and ever-present – so this Cybersecurity Awareness Month provides an opportunity to implement key measures that can make a material difference in your road to resilience.

The cyber risk environment has become immeasurably more complicated and significant for organizations since the first Cybersecurity Awareness Month in October 2004. Ever-changing and more potentially costly cybersecurity threats are keeping the issue high on the list of organizations’ concerns. And it’s moved from an IT department issue to one that makes, and even drives, the agenda at board meetings.

This underscores how vital it is that organizations prepare now to secure their futures. Cyber risks can be critical business disruptors, as they can crop up anywhere in the supply chain – even several layers down. While there isn’t a silver bullet to managing these risks, putting in place even basic cybersecurity controls and the right best practices, and ensuring they are maintained, can markedly improve your cyber resilience.

Fundamental steps toward resilience start with controls

Cyber risk resilience is making good progress. That’s largely due to organizations focusing on the basics – prioritizing and implementing effective and robust cybersecurity controls.

These controls can include measures such as strong access controls, regular software updates, encryption of sensitive data, and multi-factor authentication.

Such incremental improvements quickly add up and can significantly reduce the risk of cyberattacks and breaches – even from sophisticated attackers.

Understand evolving cyber opportunities and threats

Cyber threats evolve as new technology is deployed and malicious actors adapt their tactics.

Currently, artificial intelligence (AI) is a source of both optimism and concern. Many organizations are exploring the use of AI tools to bolster their cyber defenses, for example by filtering the flood of alerts they generate so the most urgent are sent to a human analyst. However, there is also concern about attackers using AI to find weaknesses or even write malicious code.

Supply chain and third-party risks are another topic climbing the agenda. Even organizations with their own secure and well-managed systems often don’t know how secure their third parties are, let alone fourth parties, and others even further down the chain. A compromised third party can cause disruption by making a supplier unavailable and by opening a route for attackers to infiltrate connected organizations.

Supply chain risk also extends to matters such as privacy. Third parties often handle sensitive data that, if exposed, could have consequences including reputational damage and regulatory sanctions, such as those under GDPR in Europe. The US hasn’t taken such a strict stance over privacy yet, but changes are expected.

Build toward greater cyber resilience

These initial steps toward managing and understanding evolving and complex cyber threats can provide a better perspective into your cyber risk environment.

To further build up resilience, you need to assess and measure your organization's cyber risk appetite. Key questions to ask yourself include:

  • Whiich assets and services are mission critical and must absolutely be protected?
  • What would it cost – in money, time, and reputational damage – if exposed or disrupted?

With this in mind, you can decide what steps are reasonable to protect your organization’s digital footprint.

You also can decide what it would take to recover efficiently and effectively.

  • Focus on ways to recover mission critical operations in the event of a disruption.
  • Use tabletop exercises, vendor assessments, and case studies to help determine what the right defense and recovery measures should be.
  • Establish robust processes and policies, so that everyone knows what they should be doing day-to-day and when a crisis materializes.

Finally, build this into a plan for recovering from an incident – and test it regularly.

Leverage key resources for improvements

Security improvements need not be expensive. There are plenty of resources available to help.

Organizations should make use of internal experts and ensure they are involved in the planning of new cybersecurity platforms and cyber risk responses.

Knowledgeable partners can help too. For instance, Marsh offers a product team, modeling team, advisory team, and the largest cyber risk database in the market. We turn this database into insights, risk mitigation and finance options, and solutions that allow you to understand, measure, and manage your cyber risk.

There are further resources available from governments and international bodies, which often publish standards and checklists that can be cost-effectively applied to secure your organization’s cyber environment. See, for example, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) in the US, and the National Cyber Security Centre (NSCS) in the UK.

Organizations can also connect with informal networks, such as peer organizations and trade bodies. These can often help with sharing best practice and offer warnings of emerging risks.

Maintain best practices all year long

In the ever-changing landscape of cyber threats, there is no finish line.

So while Cybersecurity Awareness Month holds significance, it is essential not to overlook the importance of maintaining your best cyber risk resilience practices and using threat intelligence to stay ahead of potential risks.

This designated month serves as a reminder of the need to secure our future and that the work of ensuring business resilience to the growing complexities of enterprise, operational, and third-party cyber risks should be ongoing throughout the year.

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change.
LCPA 24/530

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”