You can more - Fotolia

Manage cyber risk for business benefit, says industry expert

Cyber risk management can add business benefit while improving security, says Digital Policy Alliance advisory panel member Philip Virgo

The effective management of cyber risk can be used to enhance customer confidence, according to Philip Virgo, member of the Digital Policy Alliance advisory panel. 

Effective risk management can also be used to do more business at a lower cost,” he told Computer Weekly.

Virgo believes cyber risk management is becoming an increasingly important area as company directors realise the limitations of insurance cover.

 Typically, insurance covers only the cost of cyber incidents, but not third-party liabilities for data breaches and fines of up to 4% of global turnover under the European General Data Protection Regulation (GDPR) that comes into force in 2018.

According to Virgo, there are four key strategies for deriving business benefit from effectively managing cyber risk and turning individual risk into collective competitive advantage.

First, organisations should work to make the IT security team and the marketing team put up joint proposals for websites and on-line systems that are both secure and easy to use.

“Security teams and marketing teams need to talk to each other and collaborate on all customer-facing systems to provide a good customer experience, while improving security,” said Virgo.

He said such collaboration enables organisations to use third-party services, to verify who their customers are without asking lots of questions or storing unnecessary personal data.

Minimise unnecessary data

“There are all sorts of services around that will easily and cheaply check if the mobile used was issued to the person the caller is claiming to be, and is in a credible location,” said Virgo.

“This is an example of how to make it easier for customers to access an organisation’s services and for the organisation to check who they are dealing with.”

The fact that most interactions are now through mobiles, he said, means phone cameras can be used as a means for providing images of callers, which can be compared with images on file.

Second, organisations can reduce cyber risk by not asking customers for information that is not necessary.

“Forget about the big data approach and instead go for data minimisation, because that means organisations will have far less at risk and will be less likely to be targeted,” said Virgo.

This approach is also likely to result in more transactions being completed, he said, because security questions and processes are one of the biggest reasons for potential customers abandoning online purchases, according to a survey by the British Retail Consortium.

The increasing use of ad blockers, particularly on mobiles is indicative of a consumer backlash against big data, which organisations can exploit to their advantage, said Virgo.

Third, organisations should provide in-depth training for all customer-facing staff on how to engage customers, check who they are dealing with and tell customers how to check they are indeed dealing with the organisation.

“Both are equally important opportunities for being helpful and friendly to the customer, as well as demonstrating that the organisation takes security and privacy seriously,” said Virgo.

These processes are most commonly used by banks that typically use third-party verification services and customer data on file to check they are dealing with the person callers claim to be by asking questions about standing orders or recent transactions, for example.

At the same time, banks typically encourage customers to verify they are dealing with the bank by calling the contact numbers listed on credit and debit cards and asking for representatives by name.

Fourth, organisations should ensure their websites include clear links to information on how to report problems, to check whether emails purporting to come from the business are genuine, and how to report impersonation of the business.

“It is particularly important to be able to report people who are impersonating legitimate websites, and yet relatively few websites have processes in place for enabling users to do that,” said Virgo.

This, he said, is an example of an often-missed opportunity. “If you make it clear to customers that you take security seriously, you can turn that into an advantage in terms of customer loyalty and repeat business, and you can use reports to conduct so-called ‘asset recovery exercises’ to pursue offenders along the criminal supply chain using action under civil law.”

According to Virgo, there are several relatively low-cost legal actions that can net “quite nice sums of money” while discouraging criminals from website impersonation.  

“Organisations need to learn to take a cool look at the risks they are running and change their risk profile to ensure people are happy to deal with them and potentially have more in dealing with them and conducting higher value transaction than with their competitors,” he said.

An important part of this strategy, said Virgo, is being seen to take customer security and customer data security seriously – which should be one of the goals of all marketing campaigns.

“Enough people have had their private data stolen that being seen to take data protection and customer privacy seriously can be used for competitive advantage,” he said.

Virgo, who has been an advisor to various select committees and enquiries over the past 20 years, is to look at the topic of cyber risk in depth in a presentation entitled: Machiavelli’s Guide to managing Cyber Risk on 9 February 2016 at the London offices of BCS, the chartered institute for IT. 

The presentation will identify the real risks faced by organisations and look at how risks can be reduced and used for strategic benefit as well as examine the objectives for a security policy, the measures of success, and look at ways of turning adversity into advantage.

Virgo will also look at the business advantages of co-operation with the police in combatting cybercrime.



Read more on IT risk management