Businesses have ploughed billions of dollars into technology that promises to keep cyber threats at bay. Gartner claims that end-user spending for the information security market is estimated to grow at a CAGR of 8.5% between 2017 and 2022, reaching $170bn.

While technology undoubtedly plays a major role in combating digital threats, other areas have been neglected. Tellingly, mid-market business leaders surveyed in Grant Thornton’s International Business Report (IBR) say that over-reliance on software is their weakest point in managing cyber and privacy-related threats.

It’s encouraging that business leaders acknowledge this. But now they must act, by improving their employees’ awareness and specialist skills in cyber security.

This doesn’t necessarily mean spending more money. In many cases, companies will be able to taper technology spending as they strengthen and invest in their business acumen, processes and in-house skills.

Customer trust is built on more than technology

“It is essential that businesses understand that investing in technology alone is not the only answer to reducing digital risk, and it will not protect them from losing customer trust should the worst happen” says Mike Harris, cyber security services, Grant Thornton Ireland. “A key starting point for companies is understanding the type of business they’re in, and the value they deliver to the customer”.

Once this is understood, companies will have a clearer idea of the potential impact a breach would have on that relationship, and can better work out how to mitigate this, through a range of measures. Internal governance, processes and people are the other crucial ingredients here.

Take a casino chain as an example. Many casino customers are high-net-worth individuals, who take the security of their financial data – such as transaction history and payment information – extremely seriously. The casino can have the best technology systems in place to protect this data, but it is not enough in isolation.

The company must have robust governance procedures, customer relationship managers and trust policies in place to complement the technology and to protect the company’s reputation in the event of a breach. In this example, the value the casino provides to its customer revolves around customer service, trust and entertainment – with technology acting simply as an enabler to make this happen. Therefore, the company’s approach to digital risk must mirror this – with robust trust procedures around in place, complemented by top-class technologies.

Boosting awareness of human risk management

Understanding that there is more to managing digital risk than relying on technology is just the first step. Companies must then take a number of non-tech measures to protect themselves.

New ways to raise awareness

Companies might be investing in sophisticated cyber security technology, but that won’t necessarily prevent the human error that’s behind many cyber breaches. After all, it’s the human workforce that responds to phishing emails and installs unauthorised software.

Managers can address this by increasing awareness of cyber security issues across the business. But how to do this effectively? Businesses have been running cyber security webinars and mandatory training programmes for many years, yet human error continues to open them up to cyber attack. A new form of education is necessary.

Christos Makedonas, technology risk leader at Grant Thornton Cyprus, says that shorter training formats would help. “No one has time to watch hour-long training videos,” he says. “They should be shortened to a maximum of two minutes. You also need visual reminders – such as banners around the office and messages on screens – to remind people of best practice.

“Businesses should then simulate phishing attempts, and the employees that respond to them can then be given further training. We’ve found these sorts of training programmes to be much more successful than conventional webinars.”

Identify vulnerabilities first, invest later

Businesses need to understand where they are vulnerable to cyber attacks and data-protection breaches before investing in preventive software. This requires specialised skills that most cyber security functions don’t have.

“Businesses need cyber security and privacy-related skillsets to help map out their data and understand their regulatory requirements – particularly in a cloud environment,” says Mike Harris, partner, cyber security services, Grant Thornton Ireland. “They also need cyber technology skills around the technologies they are using.

“For example, if you are using cloud services provided by Amazon or Azure, you need to have the security skills in house to work out what they will and will not do regarding cyber security. That skills component is often overlooked.”

Advanced analytical tech needs advanced analytical minds

Many businesses have invested heavily in advanced analytical cyber security technologies that help identify new threats and vulnerabilities. But these are only as good as the workforce that can interpret the results and implement corresponding changes.

“Lots of people look to technology as a silver bullet, but it isn’t,” says James Arthur, partner, head of cyber consulting, Grant Thornton. “Many companies spend a lot of money on AI-driven, behavioural analytics cyber security software, which can be really useful in some circumstances. However, you normally need to spend an awful lot of human time training it to ensure it delivers useful insights. Then, you need a human at the end of that chain who can look at the output and make/approve changes.”

Insure against the inevitable

“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

These are the words of former FBI director Robert Mueller back in 2012.His message is clear – and just as relevant today as it was seven years ago: a breach is inevitable. It makes a strong case for investing in insurance as another way to manage digital risk.

“Any reasonable cyber security programme has to have an element of detection, response and insurance, because cyber events will happen,” says Harris. “We see increased adoption of insurance that covers both cyber attacks and data privacy regulatory breaches. But while it’s imperative and its use is increasing, the majority of businesses still don’t have this type of insurance or aren’t protecting the right data assets.”

Understand your most valuable data assets and protect accordingly

Businesses should undertake a structured programme to assess and understand their data assets, using a categorisation and classification process. Then, they can identify their ‘crown jewels’ and invest in appropriate insurance cover.

But how do you do this? One way to identify your most critical data is to think like a hacker and then consider the maximum damage they could cause. “The current data security environment is consistently evolving with new threats and vulnerabilities,” says Harris. “Leaders have to be willing to step into the shoes of cyber criminals, understand the threats these groups pose and come up with proactive strategies to protect their business’ interests.”

Which email threads could a former employee leak to embarrass their former managers? What intellectual property and trade secrets would be of interest to a foreign power? And how might a cyber criminal use your data to try to extort money from your business? These are just some of the questions you need to ask before purchasing insurance as part of your digital risk management plan.

Five recommendations for balanced cyber risk management

1. Companies must understand that the increasing amount of data that customers share with brands means that trust is more important than ever. It’s essential that businesses understand the necessity of trust management, and that digital risk policies and procedures go a long way to ensuring this.

2. Traditional approaches to cyber training are not working. Businesses should develop shorter, more frequently distributed training videos and simulate phishing attempts to better educate their workforces.

3. Businesses need to identify and map out their digital vulnerabilities. They need to recruit staff with specialised cyber skills that complement cyber security technical skills. This will ensure that their investment in preventive software is focused on the right areas.

4. All businesses will suffer a cyber attack – no matter how much they invest in preventive software. Investing in insurance can bolster your risk management but it is crucial to insure your most valuable data assets and explore specific insurance that covers both cyber attacks and data-privacy breaches.

5. Once insurance is secured, businesses must be vigilant about adhering to the terms and conditions. If they fail to install updates, it could nullify the insurance.

These recommendations must be implemented in the context of businesses’ specific digital risk environments. The first step for business leaders is to understand their specific vulnerabilities and threats. Only then can they implement the most relevant technologies, training initiatives and insurance coverage.

If you would like to discuss any of the areas raised in this article, please contact our Business Risk expert Georg H. Jeitler