Is your company taking enough accountability on cyber security?
60% of organisations have had at least one serious security incident this year
Every modern organisation knows that cybersecurity is a hot topic. From high profile breaches in the news to increased investment in security talent across industries, there's little doubt that companies need to wake up to the risks of cybercrime.
But this doesn't always translate into action on a day-to-day level, and it's unclear just how many businesses are taking enough accountability on cybersecurity.
Socrates Coudounaris, Chairman of the Institute of Risk Management, said in the organisation's 2019 Risk Predictions: "The impact of current macro trends and risks, such as cybersecurity, AI and Brexit in the UK will continue to put pressure on, and potentially change, entire business sectors."
"Leaders who think critically about the future, anticipate disruption to their sectors, while building resilience and agility in their models, will be in a better position to tackle a challenging risk environment in 2019 and thrive."
With businesses in the UK suffering one cyber attack every minute, businesses and security leaders need to step up to ensure their organisations are resilient, as well as educating employees and putting in place adequate security measures.
Whose responsibility is it?
Primarily, setting your risk appetite is about determining how much risk your company is willing to accept while still comfortably achieving business objectives. All of this depends on the nature of said objectives, as well as the size and complexity of the organisation as a whole.
Some losses may be deemed acceptable, while others too costly.
Division of this accountability is key, and should be split between the CEO, CISO and CRO to ensure business objectives and risk are balanced in accordance with goals and priorities across the entire organisation. Security takes resources, and they have to come from somewhere.
This also ties into the concerns companies have in relation to risk management, with reputation loss coming out top in a cyber risk survey from RSA. Perhaps a less tangible problem than business interruption or breach of customer information - second and third, respectively - a hit to reputation can have potentially devastating long-term consequences that are more difficult to measure.
Understandably then, the focus of most organisations is external threats coming in from outside the company, but attention must also be paid to those internal risks that could similarly harm the business. Many of these can be unintentional and the result of human error, but they can be equally dangerous if not properly managed.
The growing importance of data security
A breach of sensitive or confidential data was the primary issue among security professionals according to a survey from Osterman Research, with 68% citing it as a major concern. This concern will have grown significantly over the past two years with the growth in use of cloud services, as well as a number of high-profile breaches and the threat of fines from legislation like the GDPR.
In fact, since GDPR was introduced a year ago, almost 60,000 data breaches have been reported across Europe.
A recent survey from Oracle has found that less than half of IT teams are confident that their organisation's data is secure. This should be a major cause for concern, given the implications for businesses of a data breach.
IT and business leaders should make it a priority to establish secure data management strategies and protocols. This will reduce the risk of a data breach, and will be a good opportunity to ensure compliance with data protection and handling regulations.
How often should cyber risk be reviewed?
Cyber risk is not a fixed, unmoving thing, and shouldn't be treated as such. Determining a company's risk appetite, then, should be an ongoing process that is continuously reviewed. 60% of medium and large businesses have reported having a cyber security breach or attack in the past 12 months, according to gov.uk's Cyber Security Breaches Survey 2019. This is down on previous years, but the ones that have identified attacks are experiencing more of them.
There does appear to be an uptick in accountability amongst companies, with 58% of large firms receiving cyber security updates at least monthly to the board. But a reported 26% of large businesses still don't have a formal cyber security policy, which leaves them open to a serious cyber attack, data loss and more.
Determining cyber risk appetite has never been more important, and business leaders must work to bring these discussions into board meetings with more frequency. As the cybercrime world evolves, so too must its potential victims.
Transform the operator experience with enhanced automation & analytics
Bring networking into the digital eraDownload now
Artificially intelligent data centres
How the C-Suite is embracing continuous change to drive valueDownload now
Deliver secure automated multicloud for containers with Red Hat and Juniper
Learn how to get started with the multicloud enabler from Red Hat and JuniperDownload now
Get the best out of your workforce
7 steps to unleashing their true potential with robotic process automationDownload now