News item | 07-12-2016
Launched at the Global Conference on Cyberspace in 2015, the International Chamber of Commerce (ICC) Cyber security guide for business offers a simple process for raising awareness for online security. It is designed to be a conversation starter between information technology specialists and company management in order to guide enterprises of all sizes and sectors on ways to address cyber security challenges and to engage the companies in their supply chains to also tackle these issues.
Written by: Gerard Hartsink, representative of the International Chamber of Commerce (ICC) Commission on the Digital Economy to the GFCE and Chair ICC Taskforce Cyber Security.
Modern information and communications technologies are enabling business of all sizes to innovate, reach new markets and drive efficiencies that benefit customers and society. Yet, increasingly, business practices and policies are stressed while adapting to the direct and indirect impacts of pervasive communication environments and network information flows that are required in the delivery of goods and services. Many enterprises adopt modern information and communications technologies without fully realizing that new types of risks must be managed.
Failures in cyber security are constantly in the press with reports of malicious actors breaching enterprises, both large and small – seemingly at will and with ease. From a business perspective, it is vital that a company – large or small, click-and-mortar or high-tech – be able to identify their cyber security risk and effectively manage threats to their information systems. At the same time, all business managers spanning from directors of small family business to executives of large multinational companies must recognize that absolute security is an elusive goal. Unlike many business challenges, cyber security risk management remains a problem with no easy fix available.
Cyber security risk management: a collaborative and ongoing process
An array of documents and guidelines trying to help users understand and mitigate these risks already exists. However, the sheer volume of available material poses a challenge itself. For end users and businesses alike it can be difficult to know what to start reading and what kinds of documents are appropriate to their particular needs. The range spans from comprehensive explanations on top cyber threats tailored for technical experts to boardroom one-pagers often mistakenly perceived as a quick-fix, to a seemingly daunting problem that rather requires a consistent application of management attention with a tolerance for bad news and discipline for clear communication.
With many excellent resources already available, suitable material to assist business management in their approach to cyber security still remains scarce. The International Chamber of Commerce (ICC) Cyber security guide for business addresses this gap and outlines how enterprises of all sizes can identify and manage cyber security risks.
This pragmatic guide stands out as the first of its kind to be issued by an international business organization. It is first and foremost a conversation starter developed to help business management of companies of all sizes and sectors frame cyber security discussions with information technology professionals – and vice versa – to put a collaborative and ongoing management approach in place.
The concepts outlined in the guide help companies overcome fears and improve risk awareness to rise to the information security challenge of this fast changing environment as well as to engage the companies in their supply chains to also tackle these issues.
Five principles to identify risks, six key actions companies should take
Produced by the International Chamber of Commerce (ICC) Commission on the Digital Economy, the ICC Cyber security guide for business is informed by global cyber security guidelines and national strategies offering businesses a framework to consider the question of security online. It starts out with five principles that help enterprises identify cyber security risks and drawing on various sources and best practices, goes on to pin point six key actions that companies should be sure to take.
While approaches to information security may differ from company to company depending on a number of factors, there are a number of high-level principles that inform sound information security practice for all companies, independent of size or industry. The five key principles presented in this guide relate firstly to the vision companies should adopt, such as thinking of information security in its broadest sense, not just in terms of information, and approach the resilience of the company to cyber risks holistically by improving company culture and employee mind-set towards cyber security risk management practices. Secondly, the principles outline the organization and processes companies should follow such as being prepared to respond to a breach, demonstrating a leadership commitment and act on their vision for cyber security risk management to ensure its implementation.
The six key actions show how these principles translate to practicalities. They call on companies to back up business information and validate restore process; update information technology systems; invest in training; monitor their information environment; layer defenses to reduce risk; and prepare for when the breach occurs.
The guide also helps companies convert their vision into implementation by discussing how these principles can be applied into policies to facilitate the development of an enterprise’s cyber security risk management activities.
The guide features a self-assessment questionnaire as well, a simple checklist as a tool for management to help guide their internal review of their company’s cyber resilience capabilities regardless of whether they are just beginning in their information security initiatives or are looking to identify remaining gaps or vulnerabilities and paths to improvement within their respective company.
Used periodically, the guide and questionnaire will enable managers to ask the right questions to the teams involved in these initiatives and proactively partake in the development of the best-fitting approach for their specific business to prepare and manage cyber incidents.
Launched at the Global Conference on Cyberspace in 2015, the ICC guide is now available in English, French and Spanish and has a locally adapted Dutch version. It is distributed through ICC’s global network of national committees, member companies, business associations and chambers of commerce, spanning over 130 countries and is also available for download free of charge on the ICC website. The website also features an online appendix of resources to complement the guide serving as a living resource to provide more specific advice as these materials are developed – from standards of practice to technical standards and more.
ICC has a proud, nearly hundred-year history of providing companies with tools and self-regulatory guidance to promote good business practice. As the world business organization, whose membership is composed of enterprises from all sectors and regions, ICC developed this simple, clear guide to help business play their part in addressing the increasingly serious challenge of cyber security. ICC is an organization dedicated to facilitating trade and investment, and fostering confidence in the digital economy and increasing the considerable opportunities that it brings to business, consumers, governments and society.
Since its launch in April 2015, the ICC Cyber security guide for business has reached companies – large and small – from India to Brazil, from Finland to South Africa. It has proven its versatility by serving as input material for large conferences at venues such as the World Bank or the Internet Governance Forum as well as training material for local businesses in Spain and Morocco and awareness-raising material for SMEs and chambers of commerce at the World Chambers Congress 2015.
Reception to the guide has been extremely positive as there is a recognized need for businesses to be more security-savvy. This matter has long outgrown just IT departments and is increasingly reaching the boardrooms of companies. However, from this example in the U.K. for instance, where businesses have doubled expenditure on security budgets in recent times yet remain unaware of the number or source of cyber incidents that struck their businesses over the past year, the need for more dialogue between the two camps, is highlighted as a business risk. The ICC Cyber security guide for business aims exactly at the heart of the matter by offering a tool for identifying both what to discuss and how to approach this much needed dialogue in a way that is relevant from both perspectives.
This article first appeared in the second issue of the Global Cyber Expertise Magazine – November 2016.