By Philip S. Renaud, II, MS, CPCU, Executive Director, the Risk Institute
Malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016, according to a recent report from the White House. When it comes to cyber risk, effective risk management can mean the difference between achieving prosperous growth and bankruptcy.
Research from The Risk Institute, a research center at The Ohio State University, found 28 percent of financial, non-financial, public and private firms have been victims of a cyber-attack. Thirty-three percent of firms don’t think that they are at risk of a cyber-attack.
The firms who choose to turn a blind eye to the risks of a cyber-attack are doing themselves and their companies a disservice. The risk is enormous: cyber-attacks can shut down industrial facilities, utilities and infrastructure systems, interfere with military operations and compromise national security, yet firms according to our survey are continually decreasing their risk management units. The growing dependence on cyber networks means a cyber-attack is one of the few threats that can have truly national implications.
In 2018, a cyber-attack is not an “if” scenario. It’s a “when”.
Leaders in all industries need to understand the implications of security breaches and how to prepare before a crisis. The cyber defense will continue to be a major task for companies. According to the Risk Institute research, 65 percent of companies feel that they are somewhat or extremely vulnerable to a cyber-attack, and 28 percent acknowledge being a victim of one. A 2017 national survey from Nationwide Insurance found nearly half of businesses have been the victims of cyber-attacks.
So in the face of overwhelming odds that your company will be the victim of a cyber-attack, what’s the answer?
Resilience is the capacity of an enterprise to survive, adapt and grow in the face of turbulent change.
Resilience means improving the adaptability of cyber networks, collaborating with stakeholders and leveraging information technology to assure continuity, even in the face of catastrophic disruptions.
Resilience goes beyond mitigating risk; it enables a business to gain competitive advantage by learning how to deal with disruptions more effectively than its competitors and possibly even using those disruptions to its advantage.
Resilient systems don’t fail in the face of disturbances; rather, they adapt.
In order for a business to become resilient, they don’t necessarily need fancy software or consultants to get started. Businesses often just need to use the resources at hand to implement business continuity planning and then test that plan through crisis and/or business simulation exercises.
Business continuity planning is a building block of enterprise risk management, but it’s often overlooked because of its perceived simplicity. The core components of business continuity are prevention, response, resumption and recovery. Prevention means protecting corporate assets and managing risk before a crisis. Once a crisis occurs, the business response is to manage the incident while protecting life and property and working to resume time-sensitive operations as soon as possible. Once essential operations are back up and running, the business should work on recovering other operations, while repairing and restoring facilities and contents.
Once the business continuity plan is in place, it is vital for a company to test the plan through a crisis simulation. The crisis simulation can be as simple as a tabletop exercise with representatives from each business function working through a scenario using the business continuity plan as the map to the solution. These exercises are typically multi-day events that stress-test the firm’s business impact analysis.
In addition to the business continuity plan and crisis simulation, a company can show its commitment to resilience by investing in predictive analytics. Predictive analytics is one of the most exciting developments for enterprise risk management over the last decade; it allows a business to be more resilient and adapt faster during a crisis, especially a cyber-attack, by determining the probability of future outcomes and allowing a firm to create a plan ahead of time.
And yet 55 percent of firms do not utilize predictive analytics and those that do have only been using them for the last two years.
It is evident there is a lot of room for businesses to become more resilient to a cyber-attack. Building resilience is not a one-and-done corporate objective — it’s an ongoing process that enables companies to embrace change in a turbulent and complex business environment by expanding their portfolio of capabilities.
At The Risk Institute, we help corporations prepare for risk — before problems become a million dollar setback. The Risk Institute at The Ohio State University’s Fisher College of Business exists to bridge the gap between academia and corporate America. By combining the latest research with the real-world expertise of America’s most forward-thinking companies, the Risk Institute isn’t just reporting risk management’s current trends — it’s creating tomorrow’s best practices.
About the Author
Phil Renaud Headshot: Linked.Phil Renaud, Executive Director of The Risk Institute
Phil Renaud joined The Risk Institute from Risk International, where he served as a managing director and led the Columbus offices. With more than 25 years of experience creating and managing several large multi-location, international risk management departments, he has extensive expertise in the practice of risk management, direct insurance, and safety and health. In addition to his position at Risk International, Renaud managed risk programs at Deutsche Post/DHL (Supply Chain), Kmart Corporation, Limited Brands, Inc. (L Brands) and, prior to that, SCOA Industries Inc. (Shoe Corporations of America). He is a regular speaker at various national, regional and local risk management forums. He also serves on the Board of Directors for the National Kidney Foundation of Ohio, Kentucky, Middle and Eastern Tennessee and board chairman for Central Ohio, serves on the board for the Make-A-Wish Foundation of Ohio, Kentucky and Indiana and on the Foundation Board for the Knox Community Hospital in Knox County, Ohio, and is the Board Director for Columbus Humane.