Many enterprises adopt modern information and communications technologies without fully realizing that new types of risks must be managed as a result. This guide addresses this gap and outlines how enterprises of all sizes can identify and manage cyber security risks.
Failures in cybersecurity are constantly in the press with reports of malicious actors breaching enterprises large and small – seemingly at will and with ease. Enterprises are now exposed to a growing source of risk as criminal actors, hackers, state actors and competitors grow increasingly sophisticated in taking advantage of weaknesses in modern information and communications technologies. The combination of information systems with various external devices increases the level of complexity and threats to enterprise information systems. Enterprises not only face external threats but must also manage the risks of internal threats to their information systems, with persons within the organization able to corrupt data or take advantage of enterprise resources from the comfort of their residence or the local coffee shop. From a business perspective, it is vital that a company – large or small – be able to identify their cyber security risk and effectively manage threats to their information systems. At the same time, all business managers including executives and directors must recognize that cyber risk management is an on-going process where no absolute security is, or will be, available.
Unlike many business challenges, cyber security risk management remains a problem with no easy fix available. It requires a consistent application of management attention with a tolerance for bad news and discipline for clear communication. Many excellent resources are available providing comprehensive explanations on top cyber threats, yet suitable material to assist business management in their approach to cyber security remains scarce.
The ICC Cyber Security Guide has been prepared for management and information technology teams to use in their dialogue together – featuring a security self-assessment questionnaire and a set of five principles to reduce risk associated with cyber security incidents. The principles are supported by a checklist of six essential steps every company should take to set managers on a course towards information security excellence.
ICC has also launched an online appendix of resources to complement the guide serving as a living resource to provide more specific advice as these materials are developed – from standards of practice to technical standards and more.