As enterprises strive to gain value by leveraging technology, the risk associated with digital business is increasing. Theft of personal information and private business information, misappropriation of resources, denial of service, and cybertheft are becoming commonplace, affecting large and small enterprises. Isolated approaches to information security, business continuity and incident response are a thing of the past; today, the urgency of providing continuously available services for customers and business partners in the digital economy requires enterprises to become resilient. A resilient enterprise protects itself from attack, but also recognises that defence is not the end-all. A resilient enterprise needs to connect protection and recovery to the mission and goals of the enterprise, implementing integrated programs in order to provide sustainability of essential services. Board members need to evaluate the operational risk inherent in digital business and direct management to ensure that the enterprise is more than just protected - it is resilient.
The National Association of Corporate Directors recommends that “boards need to ensure that management is fully engaged in developing defence and response plans” and warns that to do otherwise is to place the enterprise’s core assets at risk
According to a recent Ponemon Institute study, it took enterprises 170 days, on average, to detect an attack by malicious outsiders and 259 days when insiders were involved in the attack
Cyberresilience is the ability to an enterprise to anticipate, withstand, recover from, and evolve to improve capabilities in the face of adverse conditions, stresses or attacks on the supporting recourses to needs to function
Given the nature of digital business and the value driven by the use of technology to meet stakeholder needs, the following questions may be appropriate for the board to ask:
Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?
Is the board routinely information about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?
To what extent have essential services and functions been identified and programs implemented to provider for their resilience in the event of a disruption or cyber incident?
You can download the full report here.
View all of our ISACA courses here.