Cyber-risk management for logistics SMES: Three top priorities
SMEs in the maritime and logistics business are digitizating fast. Kōnstantînos, an owner and CEO of a thriving Greek shipping firm, confides:
“I know my business, and I boosted it with advanced software solutions. I also know what I don’t know: these scary hacking stories in the news all the time. But what is real? How exposed are we, and how can a company our size deal with such risks? My IT manager keeps coming back and asking me for more money. How can I tell whether we are optimizing our information security spending?”
Business is risky, no big news there. Everything that can go wrong sometimes will. Yet leaders know well that worst-case scenarios offer poor guidance for making real-life business decisions. Little wonder then that many owners, directors, and managers in maritime and logistics SMEs seek useful advice on cyber-risk and how to manage it. We recommend following these three steps in your journey to cyber-risk management.
1. IDENTIFY CYBER-RISKS SCENARIOS IN YOUR BUSINESS
How can cyber-risk interfere with your business operations?
Cyber-attacks or compromises can result in a range of harms:
- Physical, kinetic damage to property or bodily harm, via malfunctioning
machinery/OT - Ransom payout
- Financial fraud or theft
- Exposure of sensitive or confidential data
- Theft of intellectual property
Adverse business outcomes include:
- Loss of customers and revenues
- Loss of employees
- Loss of competitive advantage
- Interruption of day-to-day operations
- Interruption of strategic moves, such as an M&A
- Costs of mitigation and recovery
- Regulatory or legal costs
- Reputational damage
Fortunately, not all risk or threat applies equally to your business. The key to effective cyber-risk management is aligning cybersecurity with your business. This is not trivial:
A recent commissioned Forrester study—based on a survey of 416
security and 425 business executives in 10 countries—reveals a
disconnect in how businesses understand and manage cyber-risk. Just
42% of business executives say their cybersecurity strategies are
completely or closely aligned with business goals.
Business leaders must regain control. Between your endless dealings with sales, operations, finance and HR issues, allocate the time to discuss cybersecurity of the company at management meetings, aim to understand what are the relevant cyber threats to your specific business, and what are the critical processes that could be effected.
2. DEFINE YOUR RISK APPETITE
Shipping companies, terminal operators, freight forwarders, intermodal providers – all face different threat scenarios. It is the leaders’ duty to define the firm’s risk appetite. What is “secure enough” for us? Which cyber risks do we need to take, and which risks are unacceptable?
hese are the key questions, much before “which cybersecurity solution should we buy next”.
What do you consider as your most valuable business assets? Surprisingly, identifying corporate “crown jewels” is not as straightforward as it may seem. Internal business deliberation around this question will take time.
Not a week goes by without media reporting on cyber-attacks. Having developed a more current understanding of your “crown jewels” and relevant risks, use the news to discuss: Could what happened at this other company happen to us? If so, do we have a plan? This question will illuminate gaps in your business preparedness for such an attack.
Going beyond the news cycle, directors and owners should consider both routine and strategic business phases.
Do you routinely process sensitive data? If so, you face the combination of cyber threats to data privacy and attendant legal risks.
Does the company hold intellectual property? Your threat landscape includes cyber espionage.
Do you operate machinery / equipmet? Physical damage, injuries, and pollution are in your cyber threat scenario.
Are you involved in a merger or acquisition? Most M&A processes now encompass cybersecurity due diligence, thus presenting a different type of risk.
Risk appetite is a judgment according to each company’s specific circumstances and business objectives. Your answer must serve your business interests.
3. UPSKILL YOURSELF AND YOUR MANAGEMENT
Many leaders of maritime logistics SMEs can’t help but feeling overwhelmed with the expanding range of cyber risks. We hear many managers frankly assess their knowledge and capabilities as marginal.
Our opinion is that these leaders could probably use cybersecurity upskilling. We do not suggest they undergo profound technical training. Instead, innovative, concise, dedicated cybersecurity training for the C-Suite has proven to deliver exceptional value. Having completed such executive education, business leaders report gaining the ability to separate the wheat from the chaff, ask the right cybersecurity questions, and guide their business resiliency forward. Armed with sufficient foundations, you can now prioritize and streamline cybersecurity for your business.
WHAT IS IMPORTANT - IS SELDOM URGENT, AND WHAT IS URGENT - IS SELDOM IMPORTANT
Dealing with a cyber breach is urgent. Making cybersecurity an integral component of your business model – is important. Successful SME leaders know to appreciate what is important and what is urget (after all, you are reading this cybersecurity blog..)
From strategic consulting to technical solutions, we can help you get started on building your SME’s cyber resilience the right way. Today. Let’s get started.