It has always been important for loss prevention executives to understand the top risks facing their businesses and to appreciate what keeps their CEOs up at night, but a report by the World Economic Forum (WEF) shows that times have changed. Now security risk is the top risk to businesses. It is the very thing causing those sleepless nights.
The top risk to doing business in half of the world’s countries is unemployment/underemployment or energy price shocks. In many other countries, failure of national governance, fiscal crises, or asset bubbles are thought to be the primary risk for doing business in the next 10 years.
But in the United States, cyber attack risks pose a greater danger to future profits than any other risk, according to a survey of 750 experts and decision-makers among the WEF’s stakeholder community. Moreover, data theft is the second leading risk in the United States, according to the WEF’s Global Risks Report 2016.
The United States is among a handful of countries that perceive cyber attack risks as the greatest concern to business, joined by Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, and Switzerland. The constantly evolving nature of cyber attack risks makes them a tough challenge to address, according to WEF experts. “Businesses trying to match this speed in their development of prevention and response methods are sometimes constrained by a poor understanding of the risk, a lack of technical talent, and inadequate security capabilities.”
What do these experts think is key to addressing today’s top business risk? Establishing some clarity on exactly who is in charge.
“Although CEOs worry about rising cyber risks, the ownership of and responsibility for the cyber risk is less clear. Who in the corporation is the actual owner of the risk?” asks the report. “While there are many ‘C-level’ owners (CISO, CFO, CEO, CRO, risk management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management. Defining clear roles and responsibilities for cyber risk is crucial.”
So, too, is acknowledging that prevention won’t reach 100 percent. The sophisticated threats of government-sponsored economic espionage exceed the defensive capabilities of many commercial enterprises, for example. As a result, “the emphasis needs to be on streamlining mechanisms for early detection, response and recovery, to mitigate and better manage the consequences—limiting the damage, and ensuring business continuity.”
Finally, cooperation needs to play a critical role in mitigating cyber attack risk in the years ahead. Although businesses can follow standard industry practices or individually adopt ways to deal with cyber crime, cooperation with law enforcement is necessary, as is coordination throughout the value chain, because attacks can be made through supplier systems.
Resilience in the Face of Cyber Attack Risk
Globally, top risks will likely be very different in a decade than they are today. For example, water crises—not among the top five today—is expected to at the top of business risks ten years from now. Additionally, “transformative shifts in political and economic power—accelerated by technological innovation, social fragmentation, and demographic shifts—will have profound ramifications for the international security order,” according to the WEF. So how can you prepare?
Focus on resilience because risks are uncertain, says WEF experts. Their report calls for a “resilience imperative” because of the world’s “increasing volatility, complexity, and ambiguity.” Although the exact nature of future emergencies is cloudy, it’s clear that emergencies affecting operations, like data breach incidents, can arise and dissipate quickly. Companies that are resilient—and prepared to evacuate company facilities and bring them back online quickly—will fare best in a world of volatile risk.
This final point hints at the need to improve procedures for re-occupying international facilities. Emergency plans, which often focus on evacuation procedures, sometimes neglect this critical aspect of planning.
Reoccupation considerations should to be at the forefront of planning, said Michael Blythe, author of Business Continuity Management. A reoccupation plan should include procedures for sweeping a facility for harmful materials, assessing damage or loss of materials, and making needed repairs. To avoid risk to personnel and improve resumption of business, companies may want to plan for what staff should return and in what order. Defining occupation safety levels for facilities can also facilitate business resumption. Example:
- Level 1: Only security personnel are permitted at the location.
- Level 2: Only security personnel and critical project managers are permitted at the location.
- Level 3: Security personnel, critical managers, and key staff are permitted at the location.
- Level 4: Security personnel, critical managers, key staff, and normal workforce is permitted at the location.
- Level 5: All personnel, including corporate leadership, are permitted at the location.
This post was originally published in 2017 and was updated July 23, 2018.