Mind the Gap – Governance Risk Compliance and Anti-Fraud cohesion

Many years ago I stood in front of an audience and told them the story about the boy who stopped a flood by sticking his finger in the crack of a dyke wall. This idiom is meant to portray that even the smallest act of closing a gap can prevent a tragic disaster. Why did I tell that story? Allow me to explain..

One of the questions we are often asked is; “What is the one thing we can do to reduce risks from Cybercrime.” Depending who you ask, you’ll likely get a multitude of answers which may lead you to think that there isn’t just ‘one’ thing.

But I actually believe there is a simple and elegant answer to the question. However, how you go about implementing this answer is where most organisations fail.

Mind the gap

Irrespective of size all organisations are made up of more than one department, discipline or location. Even sole-traders often have suppliers (e.g. Finance, HR, IT) to support them in their business. If you are a larger organisation you may have grown through acquisition, and therefore you may have more than one finance team or system to deal with. You may have different departments managing different aspects of the products and services you deliver, separated across buildings or geographically.

Even organisations that have grown organically will, over time use different systems and suppliers.

When we (at Cyberfort) look at organisations, we don’t just see what is there. We see what isn’t. We’re looking for gaps. But not just gaps in the technology, or how the technology is/should be protected. We’re looking for the gaps where issues and problems can creep in.

• Systems that don’t talk to each other – leading to duplication/error rates to increase
• Functions that don’t talk to each other – leading to missed opportunities or social engineering
• Organisations not talking to suppliers – leading to issues in the supply chain.

We see large organisations with brilliant teams, and highly skilled professionals often operating in siloes, which creates gaps in all the areas identified above.

• Risk conducting broad Risk Management,
• Compliance ensuring the business stays legally honest,
• Fraud reporting on fraudulent activities (including Anti-Money Laundering),
• IT Managing data migration, system upgrades and the technical/user estate,
• Information Security implementing standards
• Operation delivering the company vision
• Finance maintaining control of the incoming and outgoing numbers
• Human Resource recruiting and retaining the right calibre of people
• Marketing & Sales developing the brand identity and bringing in the clients

This is to name but a few of the departments. Dependent upon the size and complexity of your organisation, you may also have specific H&S, Facilities, Research & Development, Procurement, and the all-important Exec suite.

The diagram below is an example of a relatively complex environment, which Cyberfort were recently faced with. The organisation in question operates in the Payment and Open Banking sector. A sector which faces a range of challenges as they develop new services, scale-up operations, attract (and retain) skills and knowledge in an ‘agile’ environment. But while the organisation is operating in an emerging market, they are subject to the same issues previously discussed. A siloed approach to the aforementioned functions leaves gaps. Thankfully this organisation recognised the benefits of creating an integrated layer across security – information and cyber, incident and event management, AML, KYC, Cyberfraud and the business functions.

By approaching the topic holistically, and from a position of Organisational Resilience we were able to develop an integrated approach in an efficient scalable fashion.

Let’s talk

So where do you start? A very simple exercise that any organisation can undertake is to map out their departments, the locations that they exist in, and the suppliers they use. For example, if you have grown through acquisition or you are geographical spread across the country, or the world then you might have different locations doing the same thing. For example, it’s not uncommon for us to speak to larger companies that have two IT or HR functions geographically separated, and rarely communicating.

Why this is important

Gaps are not only where issues creep in, but where the ‘bad guys’ creep in. Yes… the Hackers and Cybercriminals we keep hearing about.  It’s gaps in…

• your knowledge
•  your preparations
• your technology
• your training
• your supply chain management.

So how do we close these gaps? What do we need to do?

Closing the Gap

Firstly, it’s important to note that this can’t happen overnight. Yes, for the smaller the organisation this could be easier, but the first step to take irrespective of the size and complexity of your organisation is to identify who is in place to protect you. If you are big enough (and lucky enough) to employ IT Managers, Data Protection, Information Security, Risk and Compliance officers, pull these functions together or create a Security Committee to talk about the risks your organisation face.

Even if you don’t employ these people/teams, you should be discussing these topics and brainstorming the risks, threats, vulnerabilities and opportunities that currently exist in your sector and your organisation.

But this is not the end of the story. You need to involve every function in your business, because we all have a part to play in Cyber Security and Data Protection. Once you have a clear view of the ‘threat landscape’ you should involve the heads of each of the functions in your business to get THEIR view on the risks and issues revolving around this topic. Remembering that Data Protection is about how data is processed (i.e. used) in your organisation you will start to appreciate that anyone could be a potential ‘gap’. Leave no one behind. Involve everyone.

Organisational Resilience (OR)

We need to fill the gaps we have with knowledge and trust, and organisations are starting to recognise the importance of this by ensuring they are resilient to our ever changing landscape. Organisational Resilience may be a new term for some, but there is a whole stream of work surrounding this discipline.

Organisational Resilience is principally focused on removing gaps in our thinking and understanding in relation to all the topics we’ve discussed previously, and there is even a professional guidance you can follow (BS65000:2014) to help you close the gaps.

Conclusion

If we are going to better protect ourselves from the threats from outside and within our organisations, then we need to ‘Mind the Gaps’. We’re very good at identifying the issues we see in our day-to-day lives, but we need to broaden our view beyond the narrow confines of our sectors, functions, or roles. I am frequently saying that we need to have Cognitive Diversity in our teams, meaning we need people from different backgrounds, life experience, training, knowledge, ages and viewpoints all taking part in the discussion around how to better protect our organisations.

If we close the gap, then perhaps we can prevent the leak becoming a flood.