A rise in insolvencies in the U.K. this year is putting the spotlight on what companies can do to better protect themselves in an uncertain economic climate. More than 6,000 companies were declared insolvent in the third quarter in England and Wales, near the highest since 2009, according to the government’s Insolvency Service.  As financial pressures ramp up and available cash flow is squeezed, it is important to consider factors beyond an economic downturn that could hurt a firm’s financial health and potentially push it to the brink of insolvency.

One factor that companies must prioritize is the risk from cyberattacks. In a 2022 report, over 87% of businesses globally saw cyber attacks as the biggest threat to their financial health[1], with many seeing the immediate and long-term costs associated with recovering from an attack as too big to absorb. In 2023, computer giant IBM determined that the average cost of a data breach is $4.45 million[2]. Operational downtime, remediation activities (including potentially paying hefty ransoms), legal and other expert fees, as well as subsequent fines are all factors that contribute to the cost of recovery. Moreover, it also has longer-term effects on a company’s reputation, which may subsequently hit future profitability if customers and investors lose confidence.

Most organisations face some degree of cyber risk exposure, so it is important to have robust cyber systems in place to protect business continuity. Given today’s subdued economic backdrop, it may not be easy for a Chief Information Security Officer’s (CISO) to request for a new budget to prioritise cyber resiliency. However, there are measures that can be taken without burning a hole in the company’s pocket. If organisations have a solid understanding of their current cyber risk exposures, they can streamline cyber spending into initiatives that will directly address them. In cases where a budget increase is required, CISOs will be armed with clear and specific justifications. A cyber risk evaluation can help companies formulate a picture of the exact risks they are exposed to. Such an evaluation works to identify what the organisation’s critical assets are, assess the specific types of threats these assets may be exposed to and, ultimately, what controls need to be implemented to reduce and/or manage these risks.

Identifying crown jewels

Companies often lack oversight of what their most critical assets are, where they sit and how best to protect them. Many organisations end up incorrectly applying the same degree of protection to all assets regardless of their inherent risk. This means non-critical assets are often over-protected and, thus, over-assigned on budget, whilst critical assets are left exposed to risks. The loose definition of a critical asset, or a crown jewel, is one that is crucial to the operation of the business. Importantly, what is deemed a critical asset for one business may be non-critical or even non-existent in another. For example, an online retailer may regard its database of customer spending habits as a critical digital asset, whereas for a manufacturing firm, the crown jewel might be the Industrial Control Systems (ICS) that governs production. If these critical assets are affected by a cyberattack, the organisation suffers a heavy impact. Therefore, protecting such assets in line with their level of exposure is key to bolstering an organisation’s cyber resiliency.

After identifying the crown jewels and understanding what types of attack pose a threat to them, it is important that all risks are prioritised and communicated in a meaningful way to ensure they are understood by all decision makers and, therefore, can be managed effectively. After completing a cyber risk evaluation, CISOs will have a clearer idea of how to protect assets with appropriate measures, be they technical or non-technical.

Assessing deployment of security technology

Organisations also don’t always utilise the full breadth of security technology features they already own. It is worth assessing security technology currently deployed across the organisation’s business landscape to understand full functionality and take stock of current coverage. Through this exercise, organisations often discover overlooked opportunities to enhance protection, leading to cost savings by eliminating tool overlap. Where savings are found, excess budget should be funnelled towards further strategic enhancements to boost resiliency. Moreover, where there is a gap in current controls to treat risks effectively, CISOs will have a stronger business justification to campaign for increased budget.

Once appropriate measures have been determined, cyber security functions should be able to provide evidence demonstrating that cyber risk has been reduced via the application of the chosen controls.

Readiness of response

Ultimately, there is no silver bullet that can protect an organisation from a cyberattack. As such, all organisations should ensure they are equipped to respond to an event with a well-thought out plan. A good incident response plan can significantly reduce the operational, reputational, and importantly, the financial impact of an attack.

The plan should involve all key stakeholders, with roles and responsibilities clearly defined. It is key that the plan is curated specifically for the organisation and not simply treated as a perfunctory corporate exercise. To ensure the plan has its desired effect, tests should be conducted on an annual basis, with lessons learnt from this activity reflected on and integrated into the plan. Reviews and updates to the plan should also occur annually to address emerging threats and ensure the plan remains relevant and up-to-date.  Such a plan will enable the organisation to both contain and mitigate incidents more effectively, drastically reducing the likelihood of the event causing irreparable damage.

Protecting organisational assets and having strong response and recovery functions are key to cyber resiliency. Whilst every organisation’s needs will vary based on their context, they should, at a minimum, consider the following questions when strategising cyber initiatives:

• How are cyber risks being managed within the organisation?
• What additional coverage (tools, processes, technology, staffing) is required to reduce the cyber risk exposure?
• Is the right amount being invested towards maintaining a cyber security programme?
• Is the organisation able to adequately respond to cyber-attacks using an effective incident response plan?
• Have appropriate roles and responsibilities been defined and allocated for a crisis committee?

As we have shown, it is paramount for the top management and the board to understand and manage cyber risk to avoid severe financial, reputational and operational losses, which may otherwise disrupt company operations and even potentially lead to insolvency.