There is no doubt that Cyber Threat is the topic of the moment. It features on the agenda of most board and audit committee meetings and it is on the minds of many organisations.
Information is the lifeblood of an organisation and we are all increasingly more reliant upon technology and information assets. In the UK, cyber security has been defined as a Tier 1 threat to the nation, making it a strategic risk management issue for all organisations. In mid-2013, MI5 wrote to the board of every FTSE350 company urging them to ensure that they were taking adequate steps to protect themselves.
WHAT IS ‘THE CYBER THREAT’?
This is the million dollar question. And you won’t get the same answer twice.
Cyber Threat is a convenient label applied to the multitude of risks to data, information and the systems which store and process it. These risks could be precipitated by events or actions as varied as external hacking, social engineering, a compromised third-party supplier or an employee leaking information. These are diverse activities that are likely to require a very different response to remediation and ongoing management.
SHOULD WE BE CONCERNED ABOUT THE CYBER THREAT?
The answer, categorically, is ‘Yes!’. Globally, with security incidents on the rise, reputation, regulatory status and financial well-being are more at risk now than ever before.
No matter what size your business is, cyber criminals are opportunists and will always be on the lookout for soft targets. They know larger organisations have big security budgets and will, usually, have better detection capabilities that are more likely to spot and deal with a security breach before it escalates.
Latest government figures indicate that 81% of large corporations and 60% of small businesses reported a cyber breach, with each breach estimated to cost between £600,000 to £1.15m for large businesses and £65,000 to £115,000 for smaller companies.
UNDERSTAND THE RISKS
Organisations clearly need to respond to the threat. But where to start? Technology companies will tell you to buy their software whilst IT service companies will tell you to outsource your IT to them. Software, security tools, penetration testing and transferring some of the risk to a third-party (via outsourcing) may be part of the solution but, applied in isolation to the Cyber Threat, there is a very real risk of missing the point. The best technology and tools can be undermined by weaknesses in basic security practices or by a flawed corporate culture.
Today’s cyber criminals are adopting approaches which step away from the purely technical and look to exploit weaknesses in the way that organisations manage, control and interact with their information. This means that the corporate approach also needs to shift from one of ‘implementing security’ to one of ‘information risk management’. The foundations of good information and security governance include:
• user access management
• clear policies on security, e.g. acceptable system and social media use
• staff security training and awareness
• oversight of third-party suppliers
• timely application of software security updates.
Fundamentally, addressing the Cyber Threat means going back to basics and understanding your organisation’s information (where it is and how it is used), identifying risks to your information assets and ensuring that the right measures are adopted to mitigate risks to within acceptable levels (balancing cost vs risk). That is why investment in people, skills and robust policies and processes is crucial. The Cyber Threat is a problem for the entire business to solve – not just IT.
STAY ON TOP
Putting it simply, the approach that should be taken in building a robust Cyber Security Strategy has not really changed much in the past 10 years.
To be truly effective, an organisation should make sure that they consult and collaborate with their peers and utilise the ‘weapons’ that are available to them, whether these be close to hand (e.g. policies, procedures, audits) or those specifically designed by security service vendors to keep the bad guys at bay.
Even if you successfully fight off a Cyber Threat you can be sure that they will return; bigger and badder than before. So, make sure your organisation is always prepared.
For more information on the dangers of cyber-attacks, and how Cyber Liability Insurance can protect your business interest, please contact Martin Camp.