In these times of political and economic uncertainty, as businesses turn their attention to new challenges and contingencies, the risk of a data breach can increase dramatically.
By putting in place measures to pre-empt potential pitfalls, businesses must ensure they are not inadvertently placing their cybersecurity or data protection policies in the firing line.
- UK unprepared for major cyberattacks
- Half of organizations lack the security talent needed to remain secure
- Empowering CISOs to strengthen password security
In the current climate of Brexit induced uncertainty, businesses are in the thick of preparing for all eventualities; but as board level discussions turn to tomorrow, it’s crucial they are not overlooking the business risks that remain very real today. Cybersecurity is one such threat landscape – and it’s changing fast.
In 2018, over 40 per cent of UK businesses experienced some form of cybersecurity attack, and the number of data breaches more than doubled when compared with 2017. Year on year, cybersecurity is becoming more complex, more expensive and more frustrating; no organisation is immune to the threat of a cyber attack – take a finger off the pulse and not only is a breach likely, but resiliency to respond will be at an all-time low.
Combined with new legislations now in force, such as GDPR and PECR, companies are also at additional risk of financial and reputational costs if they are deemed to be non-compliant. As the recent example of Google’s GDPR record €50m fine very clearly shows, regulators are taking action against companies that lack transparency, provide inadequate information or that cannot prove customer consent – and an effective cybersecurity strategy alone is not enough to ensure compliance.
Board level commitment
Cybersecurity and data protection have become board-level issues over the past decade, but top-level commitment to both remain an ongoing challenge. Most senior level individuals perceive that cybersecurity is too complex and too technical to have a place in any board meeting – more so when there are other pressing matters to consider. For many organisations, the answer is to place all responsibility with the Chief Information Security Officer (CISO), or to increase the budget, instead.
But is more outsourced support really the most effective route to cyber resilience? Take any recent high-profile breach as an example – the hack was not achieved through bypassing top of the line security technology, but by identifying weaknesses within internal processes and amongst staff. And yet, at the same time, how many CISOs can truly offer the depth and breadth of skills and expertise required to effectively manage all aspects of security and compliance – from the technical and management system qualifications; to practical cybersecurity business experience around people, process and technology; as well as the legal understanding required to ensure breaches are managed according to compliance processes?
Cybersecurity isn’t all about incredibly complex and sophisticated threats, the fact is the vast majority of breaches are linked to human error and, more often than not, the cause is ill considered processes and education, not inadequate security solutions. The goal is to therefore ensure cyber security risk assessments become as embedded within business thinking as every other area of operational risk – a process aided by providing a board level dashboard of incidents, how they have been managed and the requirements for ongoing improvements.
There is no ‘out of sight, out of mind’ solution; the diverse skills and experience required to mitigate risk in today’s incredibly complex and data sensitive operating environments must be implemented from the top down. Cybersecurity awareness and understanding is fast becoming a fundamental aspect of business differentiation, competitive position, even longevity, but it’s also a demand that has been heightened by the arrival of GDPR and other legislations. What’s required is a cyber resilience model to both managing the breach and minimising the business impact.
In addition to using technology to block phishing emails, for example, the board must also ensure staff are trained to recognise the signs that an email may not be genuine. They must know how to respond if they mistakenly click on the email, including immediately notifying the help desk, which will prompt clearly defined escalation processes to minimise corporate exposure. Add in a device level back up process that does not allow the spread of malware and a business has a robust cyber resilience approach to the most prevalent form of breach.
Covering all the bases
Organisations must recognise they face a growing number of cyber security and compliance challenges that cannot, under any circumstances, be ignored.
Regardless of the climate, a breach will result in serious consequences, which can range from regulatory action to class action lawsuits. Strategic steps must be taken to improve cyber security at all levels, with a cyber resilience framework that’s underpinned by a corporate understanding of risk.
Not only will this reduce the likelihood of a breach, but it will also ensure systems are demonstrably secure, that the processes and training are in place to ensure compliance with data protection regulations, and that the business can get back up and running as quickly as possible to minimise disruption.
Alan Calder, Founder and Executive Chairman at IT Governance
- Keep your business protected from the latest cyber threats with the best antivirus