Sasha Kalb, Vice President, Risk and Compliance, Asia Pacific, American Express Global Business Travel
In the increasingly complex environment of regulatory enforcement, it is crucial that organizations today are Compliance-aware. Corruption and bribery, data privacy, extensive use of third parties, and employee duty of care, are all areas that must be the focus of any comprehensive Compliance program. Increasingly, cyber security must be added to this list. Cyber attacks are becoming more common and sophisticated. When such attacks occur, the damage to an organization can be overwhelming, highly publicized, and immediate.
While many people are hesitant to discuss cyber security due to its heavily technical nature, the theory behind building a cyber security program is the same as any Compliance discipline. Of course, there is a highly specialized element, for which information technology expertise is required; however the organizational elements that support this are consistent with a basic Compliance risk management program. Such elements include:
Many cyber security incidents are caused by individuals falling victim to phishing or social engineering scams.
It is critical that employees are trained to be security aware. Cyber security training should be added to a regular training roster, alongside other disciplines, such as sanctions and anti-corruption.
Testing employees’ knowledge is important for gauging true awareness. Within my organization, we run phishing tests designed to train our employees. This is done through highly tailored e-mails that are designed to look legitimate, but are actually false phishing attempts. Any employee who fall victim to the tests is required to take additional training.
Ad - hoc Communications
Never waste an opportunity to use a good crisis. Take advantage of events in the news media to raise awareness and train employees.
Remember that cyber security is reliant on both information technology and physical security. Are your offices secured? Do your company’s computers auto-lock after a period of inactivity? These are important considerations.
When there is an allegation, or confirmed incident, the corporate response should be the same as for any compliance incident – it is crucial to follow company procedure exactly. Companies should mobilize their incident response and investigation teams, and react with appropriate speed and resources.
Following the recent cyber attack on Yahoo!, the Yahoo Board investigation noted that the company’s failures in areas such as communication, management, and internal reporting resulted in a lack of proper handling of the breach. These failures contributed to the flow of negative news, shareholder lawsuits, resulting in a drop in sale price, and losses in personnel.
As with any other risk area, a strong Compliance program is the best way to protect an organization from the effects of a cyber breach. A truly comprehensive program should include elements of policy, training, and communication to help prevent an occurrence; testing and monitoring to help detect a potential breach; and processes around investigation and remediation, as a best-practice response should a breach occur.