Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/15/2021
01:00 PM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

6 Tips for Managing Operational Risk in a Downturn

Many organizations adjust their risk appetite in an economic downturn, as risk is expanded to include supplier and customer insolvency, not to mention cash-flow changes.

Many organizations have gone through unprecedented changes in the past year. While some have struggled to cope, others have proven resilient in the face of uncertainty. To handle adversity gracefully and emerge from a period of hardship in good shape requires a deep understanding of your business. To manage operational risk effectively, you must identify threats, craft incident response plans, and establish visibility.

Underpinning a successful strategy is the agility to act swiftly in the face of rapidly changing circumstances. There are various steps any organization can take to gain deeper insight into operations and establish a holistic picture of the threats that matter most. The urgency that a downturn creates can be an opportunity for positive change to build greater resilience.

Related Content:

The Yellow Brick Road to Risk Management

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

Many organizations also find the need to adjust their risk appetite in a downturn as operational risk is expanded to include potential risks directly related to downturn such as insolvency of suppliers and customers, and changes to cash-flow patterns, all of which may have been based upon more predictable trading periods.

Understand Your Risk Appetite
It's crucial to have a clear picture of the risk that your business is prepared to endure. Different businesses will have different tolerances, in terms of the downtime they can handle and what their customers will put up with. The process of identifying where the major risks lie isn't just about informing mitigation strategies, it can also be a catalyst for necessary change. A dynamic landscape and shifting external pressures can shine a light on areas that require investment, or even parts of the business that must evolve.

Be pragmatic and realistic; risk appetite may have to shift significantly during a downturn. 

As consumer behavior changes, organizations must look beyond maintaining current customer experiences and cater to emerging demand. Traditional retail might close their brick-and-mortar stores, for example, and transition to exclusively online business.

Take a Risk-Based Approach
While compliance is essential, and easily digestible for company boards, a box-ticking approach to cybersecurity cannot cater to the unique risks that each business faces. Transitioning from a compliance-based approach to a risk-based approach is challenging, but the two are not mutually exclusive. What's vital here is that you align your approach with the overall business strategy and demonstrate the benefits to secure board buy-in. 

Monitor the Threat Landscape
Before you can craft an effective risk-based approach, you must build a clear picture of the threats your organization faces. There are many commonalities, but the precise make-up of the threat landscape is unique to each business. Geopolitical instability has precipitated an enormous change in recent months with a rapidly shifting cast of bad actors with an ever-growing capability to harm. 

Any snapshot of the threat landscape will be rapidly out of date. Organizations must continuously monitor the situation and keep tabs on trends in organized criminal gangs and nation-states. This is complicated when your business operates across multiple jurisdictions because you must learn not only what different threat actors are doing in those geographies, but also what the regulatory landscape is like.

Plan Crisis Management
With a clear plan in place and responsibilities delineated, you can work through any crisis. Make sure that you craft policies and incident response plans to cater to a diverse range of scenarios. When a problem emerges, employees should know what's expected of them. Empower individuals to take charge and to report back regularly to upper management and the board. Knock down roadblocks to swift action and demolish walls between silos to ensure that different people across your business can work together effectively to resolve issues and guard against any repeat. The whole business must be accountable to spread the load and build understanding across departments and geographies.

Establish Transparency in the Supply Chain
While internal visibility is crucial, you can't afford to leave third-party partners to their own devices, but sending suppliers many streams of audit forms is not effective. Security becomes a tick-box exercise where partners have an incentive to tell you what you want to hear. It's better to share specifics and make your expectations of partners crystal clear. Ensure your supply chain is transparent and fully informed by your risk appetite and threat monitoring to effectively manage risk and enable the agility to drive future success.

Share Intelligence and Foster Collaboration
We've highlighted the importance of transparency across your business and throughout the supply chain so that everyone takes responsibility and works together, but this spirit of sharing and collaboration can spread further. Work closely with partner organizations, establish intelligence-sharing in your sector, and talk to government departments and even other industries about the threats they have encountered. 

Cybercriminals and other attackers share tactics and success stories. When we fail to share intelligence, the only real winners are the bad actors. They can deploy the same attacks successfully with a range of organizations unless we discuss our experiences and collaborate on defensive strategies to shut them out.

Coping with heightened operational risk during a downturn is a challenge for every business, but it's far from insurmountable. Strive for transparency, plan for the worst, and pull together across departments, third-party partners, and the wider business community to create a united front.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board's role in cybersecurity and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27952
PUBLISHED: 2021-08-03
Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.
CVE-2021-27953
PUBLISHED: 2021-08-03
A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.
CVE-2021-27954
PUBLISHED: 2021-08-03
A heap-based buffer overflow vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HKProcessConfig function of the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to force the device to connect to a SSID or cause a denial of service.
CVE-2021-31630
PUBLISHED: 2021-08-03
Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.
CVE-2021-32772
PUBLISHED: 2021-08-03
Poddycast is a podcast app made with Electron. Prior to version 0.8.1, an attacker can create a podcast or episode with malicious characters and execute commands on the client machine. The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows ...