Is your company taking enough accountability on cyber security?
60% of organisations have had at least one serious security incident this year
Every modern organisation knows that cybersecurity is a hot topic. From high profile breaches in the news to increased investment in security talent across industries, there's little doubt that companies need to wake up to the risks of cybercrime.
But this doesn't always translate into action on a day-to-day level, and it's unclear just how many businesses are taking enough accountability on cybersecurity.
Socrates Coudounaris, Chairman of the Institute of Risk Management, said in the organisation's 2019 Risk Predictions: "The impact of current macro trends and risks, such as cybersecurity, AI and Brexit in the UK will continue to put pressure on, and potentially change, entire business sectors."
"Leaders who think critically about the future, anticipate disruption to their sectors, while building resilience and agility in their models, will be in a better position to tackle a challenging risk environment in 2019 and thrive."
With businesses in the UK suffering one cyber attack every minute, businesses and security leaders need to step up to ensure their organisations are resilient, as well as educating employees and putting in place adequate security measures.
Whose responsibility is it?
Primarily, setting your risk appetite is about determining how much risk your company is willing to accept while still comfortably achieving business objectives. All of this depends on the nature of said objectives, as well as the size and complexity of the organisation as a whole.
Some losses may be deemed acceptable, while others too costly.
Division of this accountability is key, and should be split between the CEO, CISO and CRO to ensure business objectives and risk are balanced in accordance with goals and priorities across the entire organisation. Security takes resources, and they have to come from somewhere.
This also ties into the concerns companies have in relation to risk management, with reputation loss coming out top in a cyber risk survey from RSA. Perhaps a less tangible problem than business interruption or breach of customer information - second and third, respectively - a hit to reputation can have potentially devastating long-term consequences that are more difficult to measure.
Understandably then, the focus of most organisations is external threats coming in from outside the company, but attention must also be paid to those internal risks that could similarly harm the business. Many of these can be unintentional and the result of human error, but they can be equally dangerous if not properly managed.
The growing importance of data security
Data security is gaining prominence among security professionals due to the stream of sensitive or confidential data breaches continuing to make headlines.
Industry consensus attests the number of high-profile breaches to the growth in the use of cloud services, which presents a problem; the cloud is predicted to continue its upward trajectory, meaning a continued spread of vulnerabilities.
According to research conducted by Forrester, only 29% of security leaders would agree they understand the strengths of their security program and crucially, areas in which they can improve. This should be a major cause for concern, as if vulnerabilities are not known they cannot be addressed, giving way to damaging data breaches.
Further, the introduction of legislation like the GDPR has exacerbated the threat of breaches, with eye-watering fines dealt for breaching compliance regulations. In fact, a German housing giant was recently fined £12.5 million.
Here, the cost of failing to comply can be rivalled by the internal expenditure undertaken to initially achieve compliance, with Forrester's research revealing 34% of security leaders struggle to meet and sustain compliance requirements. Solid data security practices will help organisations achieve their compliance targets, or at least help to reduce the gap.
IT and business leaders should make it a priority to establish secure data management strategies and protocols. This will reduce the risk of a data breach, and will be a good opportunity to ensure compliance with data protection and handling regulations.
How often should cyber risk be reviewed?
Cyber risk is not a fixed, unmoving thing, and shouldn't be treated as such. Determining a company's risk appetite, then, should be an ongoing process that is continuously reviewed. 60% of medium and large businesses have reported having a cyber security breach or attack in the past 12 months, according to gov.uk's Cyber Security Breaches Survey 2019. This is down on previous years, but the ones that have identified attacks are experiencing more of them.
There does appear to be an uptick in accountability amongst companies, with 58% of large firms receiving cyber security updates at least monthly to the board. But a reported 26% of large businesses still don't have a formal cyber security policy, which leaves them open to a serious cyber attack, data loss and more.
Determining cyber risk appetite has never been more important, and business leaders must work to bring these discussions into board meetings with more frequency. As the cybercrime world evolves, so too must its potential victims.