Defending an organisation against the sophistication and professionalism of modern cyber criminals is not an easy task. Never before have cyber criminals been so well organised and equipped, possessing hacking skills that many enterprises would pay top dollar for.
Such enterprises have begun investing in the right skills and tools to best defend their business against such hackers, but it remains a challenge. It therefore makes it much harder to take, when despite investment in technology and systems, employee error or oversight is then responsible for a data breach or other cyber attack.

Organisations must adopt a continuous approach to cyber security

Cyber security is a critical business issue. The volume, sophistication and severity of attacks over the past few years have highlighted just how tough a challenge it can be to defend an organisation against cyber attack.

The situation hasn’t always been helped by CEOs and other board members. In public they speak confidently about the need to keep their customers’ data secure, yet they do not always back up their words with the requisite action.

Budget and resource for cybersecurity has for many organisations not been what it could be, with CEOs not always acknowledging that cyber security in 2019 is a much trickier proposition than it was a few years previously. It requires professionalism and specialist expertise to combat the threat posed by cyber criminals and they are qualities that internal IT security teams do not always have.

The situation does look as though it is changing, however. New research has recently emerged that shows CEOs are now more willing than ever to invest in the right skills and tools for cyber security. What is the best approach for organisations keen to manage cyber security better in 2019?

A renewed focus on cyber security?

Earlier in 2019, the 2019 Computer Weekly/TechTarget IT Priorities research was released, a survey of 1,578 IT decision-makers in EMEA that focused on where they would be spending their IT budget over the following 12 months.

The findings make for encouraging reading for anyone involved in cyber security. Cyber security and risk management (32%) were named as second only to IT automation (33%), when respondents were asked for their main spending priority.

This renewed focus on cyber security was further highlighted in the survey. 39% of EMEA respondents said that their budget is expected to increase in this area, a sign that perhaps CEOs are finally starting to take cyber security with the seriousness that it needs.

Spending on compliance for GDPR has dropped, according to the research findings, but the additional focus GDPR has brought on data protection in Europe has surely played a role in the increased spending on cyber security. Organisations are increasingly viewing data breaches as a business risk, which is an important development in keeping cyber security tight and effective.

But organisations are still at risk

It would be complacent however, to think that European organisations have now got full control of their cyber security. Another recent study by security company Tripwire revealed that 34% of IT professionals in Europe admitted that their organisation had been breached as a result of an unpatched vulnerability.

Many vendors publish new fixes every month, and this volume of patches, can mean that there is a delay in securing critical systems, leaving a window of vulnerability. Just under half of respondents in the survey aim to deploy a security patch within a week, while more than 90% said they would do so within a month.

Such delays are potentially critical, and highlight the need for a more on-going and continuous approach to cyber security, in order to give under pressure IT teams the support they require.

Addressing cybersecurity with confidence

Getting the board behind cyber security efforts is a vital component of addressing IT risk effectively. The research showing how European IT decision-makers are increasing their spend on cyber security is a good indicator that this is starting to happen.

But boards also need to think of cyber security as a business risk – it really is that important. A city in Florida has just agreed to a $600,000 ransom pay out to hackers that took over its systems three weeks ago. Riviera Beach City Council voted to give into the cybercriminals’ demands and had in fact already voted to spend almost $1 million on new computers and hardware following the incident.

Looking at IT security through a business lens may well have helped address an issue like this before it even took place. But having the right tools in place to manage IT risk is arguably the most important element of cyber security. The real-time monitoring of threats, ensuring cyber security is a continuous and on-going process, is a technology solution that Oxial specialises in.

We work with a range of experienced and first-in-class third-parties and consultants, to complement our native technology and it has proven to be a highly effective proposition for maintaining cyber security on an on-going basis. We provide users with an integrate and real-time view of IT risks, assessing their impact and giving good notice so measures can be taken in time to address them.

IT risk is best managed as part of an overall GRC focus and this is most effective when addressed in a continuous way.

For more details about Oxial’s solution and how it can help with cyber security, please click here.

The second iteration of the EU’s Markets in Financial Instruments Directive (MiFID II) came into being on 3 January 2018, and it is fair to say that opinion has been divided, on both the motives behind its launch and also its success so far.
The initial objective of MiFID II was to strengthen investor protection and improve the functioning of financial markets by making them more efficient, resilient and transparent. This transparency into buyside and sellside trading activities across all the major asset classes in the capital markets industry was a major factor, but MiFID II hasn’t been universally welcomed.

For decades now, business has been very international. Companies – especially the bigger and mid-sized organisations – regularly trade in countries all over the world and many have of those companies will have a presence in a good number of those countries.

Business risk comes in many different guises in 2019. Strategic, reputational, compliance, financial, political….the list goes on and on. The breadth, depth and variety of risk in modern business makes the task of efficient, effective and smart risk management even harder for many organisations.

It has been almost a year since the European Union’s (EU) General Data Protection Regulation (GDPR) first came into effect. After many years of discussion and debate, the biggest change to data privacy laws in a generation was finally brought in on 25 May 2018 to protect consumer privacy in the internet age. It’s probably too soon to accurately assess whether it has been successful or not, but it has certainly been impactful.

We’ve written previously about the potential of Artificial Intelligence (AI) to transform compliance. The power of AI to process, manage and analyse large volumes of data, accurately, quickly and efficiently means that is very suited to certain elements of compliance.
GDPR is a perfect example. It requires huge volumes of data to be checked for compliance and using an AI-based automated tool makes a great deal of sense. But generally GRC teams have been mostly resistant to the use of AI in compliance.
What is behind this slow adoption and could 2019 be the year that AI truly has an impact on regulatory compliance?

It’s clear to anyone that works in risk management, that it is harder than ever to manage and mitigate risk. The risk landscape in 2019 is increasingly complex and interconnected, and risks are no longer constrained by borders or bound by industries as they once were.

Global forces and global risks shape what happen at a regional level. We have previously made the argument that the Chief Risk Officer has become the most important role in an organisation and that is as true for organisations in Africa and the Middle East as it is for companies in the US, Europe and Asia.

The role of the Chief Risk Officer (CRO) is by no means a new one. Risk has always existed in business and there have nearly always been people in business who’s job it is to manage, minimise and mitigate that risk.
But the past decade has seen the emergence of a greater volume and type of risk than was around previously. The nature of geo-political, regulatory, cyber and technology risks mean that modern businesses face greater challenges than before and this has changed the role of the CRO for good.
It was once a role that existed mostly to mitigate more traditional risks to a business – although an important role, it was relatively low profile and not one that was centre-stage in the business. But because the nature of risk has changed so radically, so have the requirements expected of a CRO.

The pressure on compliance teams in Financial Services (FS) over the past decade has been enormous. Increased regulation, globalisation and a conservative approach to technology in many compliance teams, has left a number of banks and other FS providers struggling to make their compliance function truly effective.

It’s not a situation that is likely to improve in the short-term. Accenture’s 2019 Compliance Risk Study surveyed 151 senior compliance executives at banking, capital markets and insurance institutions globally, and revealed that 71 per cent of financial institutions’ compliance departments are facing a cost reduction target. 64 per cent of those are targeting budget reductions of between 10 and 20 per cent over the next three years – a considerable reduction when you think that many compliance departments would already consider themselves under-resourced.