According to the semiconductor manufacturing powerhouse, Intel, 200 billion IoT computing devices will be wirelessly connected by the year 2020. It comes as no surprise that cyber-security has emerged as a top concern across today’s corporate landscape. Bringing this high-level statement down to the practical level in Singapore, during our conversations with family principals in Asia, (some of whom are responsible for their family enterprises including respective single family offices) a common and consistent concern that is raised is cyber security risk and how to manage it.
With these possible threats in mind, Sandaire Singapore recently organised an interactive, cyber security workshop to learn about this critically important topic, and invited family principals to participate. Through our network of relationships, we identified Booz Allen Hamilton as one of the world’s leading consulting firms on cyber security and other related information technology risks, and invited them to share their insights on this topic.
At a headline level, in the event of a technology breach, the decisions made by business leaders in the first few days will have a critical impact on their organisations’ business continuity and financial performance. Effectively, the team exercise that Booz Allen Hamilton conducted was, through role play, to challenge senior executives in a fictitious company to respond to a cyber-security breach. On a tight timeframe, each team had to deliberate and make decisions on cross-enterprise impacts. In the face of information asymmetry, each team balanced different legal, security and financial risks across their fictitious organisations and were forced to make decision trade-offs. Through this crisis simulation exercise the teams experienced the critical first days of a cyber-breach situation in a risk-free environment.
The one hour plus session ended with examples and discussions around real-world breaches and focused on areas that have caught senior executives unprepared during past incidents. A conversation ensued during which time each group shared main takeaways and some past experiences.
So what did we learn?
- In a cyber-breach it is more than likely that you are tackling the unknown. By nature, cyberattacks are highly unpredictable and an even broader range of bad actors can utilise technology to target organisations.
- An organisation’s crisis plan should not be designed simply in the context of what a potential threat may be, but also with the potential business impact in mind, to ensure business continuity.
- In the event of a cyber-breach, there should be a clear chain of command. “Who makes the ultimate decision?” was a question that was asked at every juncture of the crisis simulation. A response to attacks with enterprise-wide implications may require input from the leaders of various business units, in addition to the C-Suite. The consequences of an untimely response, without the right counsel, can result in dire and long-term repercussions for the business.
- Cybersecurity is more than just an IT problem, specifically it can be an HR issue. The source of breaches may be related to inadequate education and training of staff, or unfortunately in some cases, a rogue employee. Malware, phishing and other fraudulent types of software tend to target employees who may not be as technology-savvy as others.
The team wrapped up the valuable time by agreeing that whether, as stewards of a family enterprise or the family’s wealth, that each of us need take stock and recognise our own cyber security risk vulnerabilities. The best defence involves not just a robust technology infrastructure and plan, but also a well-prepared management team and advisors.