Explore the grey areas that impact IT security and cyber resilience.
Protecting IT systems and infrastructure against cyber threats is a strategic priority for enterprises. But as technology ecosystems grow beyond the four walls of your organisation, there may be a number of grey areas where it is not clear who is responsible for security and business resiliency, and who bears the costs if there’s a breach, an outage, a simple error or outright sabotage. Some of the most vexing and persistent blind spots in IT risk assessment, security and business continuity today include:
- Shadow IT:Does your IT risk assessment and business continuity plan factor in risks that arise from shadow IT? Who should be responsible for the resulting cyber incidents?
- Availability coverage by cloud service providers: How reliable and secure are the third-party cloud services the business uses? Who bears the downtime, recovery and reputational cost of a cyber event that begins in the cloud?
- Cyber insurance coverage:What does it actually cover? What is the business liable for in the event of a data breach?
A recent study from Forbes Insights found that these blind spots are creating a false sense of security in many organisations, especially among the executives who are responsible for cyber resilience and safeguarding their organisations’ systems, applications and data.
Shadow IT is a big challenge for data protection and business resiliency. IT executives say they are having a tough time keeping with the explosion of non-sanctioned devices and applications. For line-of-business leaders, the democratisation of IT means they no longer have to rely on the IT department to give them the technology they want. They can develop and deploy the applications they need with incredible speed. But the study found that shadow IT is seen as an impediment to improving an organisation’s cybersecurity and cyber resilience posture. How will you manage this conflict?
Availability coverage by cloud service providers
Businesses expect a certain level of security and availability from cloud service providers. But the study found that 56 percent of organisations that suffered losses due to cloud incidents were not compensated by their providers. Cloud security could be the provider’s, the consumer’s, or even a shared responsibility depending on the delivery model and SLA requirements. But does your organisation revisit your risk assessment and business continuity plan when you consume or migrate to the cloud?
Cyber insurance coverage
For certain risks, cyber insurance may be a good option. However, the study found that out of the executives who purchased cyber insurance, only 40 percent believe the costs of data recovery and crisis management would actually be covered in the event of a cyber incident. Since the very nature of cyber incidents evolves so quickly, it’s difficult for insurers to underwrite their policies without the data to calculate the potential impact. Not surprisingly, there are gaps between the fine print and buyer expectations.
As IT executives look to balance the risks and opportunities of digital transformation, mitigating the risks and impacts of cyber incidents becomes a top business priority. No organisation can completely avoid cyber risks. Organisations can, however, be more diligent and proactive in identifying the blind spots and understanding their impacts, and develop programs and procedures to achieve true business resiliency.