Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Steve Durbin
Steve Durbin
Connect Directly
E-Mail vvv

6 Tips for Managing Operational Risk in a Downturn

Many organizations adjust their risk appetite in an economic downturn, as risk is expanded to include supplier and customer insolvency, not to mention cash-flow changes.

Many organizations have gone through unprecedented changes in the past year. While some have struggled to cope, others have proven resilient in the face of uncertainty. To handle adversity gracefully and emerge from a period of hardship in good shape requires a deep understanding of your business. To manage operational risk effectively, you must identify threats, craft incident response plans, and establish visibility.

Underpinning a successful strategy is the agility to act swiftly in the face of rapidly changing circumstances. There are various steps any organization can take to gain deeper insight into operations and establish a holistic picture of the threats that matter most. The urgency that a downturn creates can be an opportunity for positive change to build greater resilience.

Related Content:

The Yellow Brick Road to Risk Management

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

Many organizations also find the need to adjust their risk appetite in a downturn as operational risk is expanded to include potential risks directly related to downturn such as insolvency of suppliers and customers, and changes to cash-flow patterns, all of which may have been based upon more predictable trading periods.

Understand Your Risk Appetite
It's crucial to have a clear picture of the risk that your business is prepared to endure. Different businesses will have different tolerances, in terms of the downtime they can handle and what their customers will put up with. The process of identifying where the major risks lie isn't just about informing mitigation strategies, it can also be a catalyst for necessary change. A dynamic landscape and shifting external pressures can shine a light on areas that require investment, or even parts of the business that must evolve.

Be pragmatic and realistic; risk appetite may have to shift significantly during a downturn. 

As consumer behavior changes, organizations must look beyond maintaining current customer experiences and cater to emerging demand. Traditional retail might close their brick-and-mortar stores, for example, and transition to exclusively online business.

Take a Risk-Based Approach
While compliance is essential, and easily digestible for company boards, a box-ticking approach to cybersecurity cannot cater to the unique risks that each business faces. Transitioning from a compliance-based approach to a risk-based approach is challenging, but the two are not mutually exclusive. What's vital here is that you align your approach with the overall business strategy and demonstrate the benefits to secure board buy-in. 

Monitor the Threat Landscape
Before you can craft an effective risk-based approach, you must build a clear picture of the threats your organization faces. There are many commonalities, but the precise make-up of the threat landscape is unique to each business. Geopolitical instability has precipitated an enormous change in recent months with a rapidly shifting cast of bad actors with an ever-growing capability to harm. 

Any snapshot of the threat landscape will be rapidly out of date. Organizations must continuously monitor the situation and keep tabs on trends in organized criminal gangs and nation-states. This is complicated when your business operates across multiple jurisdictions because you must learn not only what different threat actors are doing in those geographies, but also what the regulatory landscape is like.

Plan Crisis Management
With a clear plan in place and responsibilities delineated, you can work through any crisis. Make sure that you craft policies and incident response plans to cater to a diverse range of scenarios. When a problem emerges, employees should know what's expected of them. Empower individuals to take charge and to report back regularly to upper management and the board. Knock down roadblocks to swift action and demolish walls between silos to ensure that different people across your business can work together effectively to resolve issues and guard against any repeat. The whole business must be accountable to spread the load and build understanding across departments and geographies.

Establish Transparency in the Supply Chain
While internal visibility is crucial, you can't afford to leave third-party partners to their own devices, but sending suppliers many streams of audit forms is not effective. Security becomes a tick-box exercise where partners have an incentive to tell you what you want to hear. It's better to share specifics and make your expectations of partners crystal clear. Ensure your supply chain is transparent and fully informed by your risk appetite and threat monitoring to effectively manage risk and enable the agility to drive future success.

Share Intelligence and Foster Collaboration
We've highlighted the importance of transparency across your business and throughout the supply chain so that everyone takes responsibility and works together, but this spirit of sharing and collaboration can spread further. Work closely with partner organizations, establish intelligence-sharing in your sector, and talk to government departments and even other industries about the threats they have encountered. 

Cybercriminals and other attackers share tactics and success stories. When we fail to share intelligence, the only real winners are the bad actors. They can deploy the same attacks successfully with a range of organizations unless we discuss our experiences and collaborate on defensive strategies to shut them out.

Coping with heightened operational risk during a downturn is a challenge for every business, but it's far from insurmountable. Strive for transparency, plan for the worst, and pull together across departments, third-party partners, and the wider business community to create a united front.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board's role in cybersecurity and ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file