What is effective cyber security risk management?
By John Higginson, 31 May 2017
Cyber services are currently going through an evolution, moving from the reactive to the proactive, as businesses wake up to the impact a cyber-attack can have on their operational output or reputation.
Traditional cyber services revolved around providing some basic anti-malware tools to prevent an attacker from gaining access to networks, and then, when things went wrong, dealing with the aftermath of an attack, investigating what happened and how the attackers were able to gain access. Whereas more recent service offerings across the marketplace revolve around predicting when, where, how, and why attackers may strike, or reducing the impact of any successful network breach.
Physical and cyber security are mutually supporting
I would be surprised if any businesses would leave their premises unlocked with the doors open at night; doing so would clearly invite opportunist thieves to help themselves. It is therefore somewhat surprising (although probably unknowing) that organisations have so little concern with their cyber security. With more and more data being stored on company networks or in the cloud, ranging from valuable proprietary information to sensitive personal information or financial transaction information, the loss or non-availability of any of these could have a real impact. That could mean your company or organisation losing its competitive edge, or receiving significant reputational damage or potentially large financial losses.
Viewed in this way, it is a lot easier to appreciate the risk that poor cyber security can pose to a business and why it needs to be addressed as a priority. As an example of the impact a cyber-attack could have, the TalkTalk hack is reputed to have cost the business the loss of 100,000 customers and £60m , so the costs to a business can be considerable.
Selling cyber security
The difficulty in providing proactive cyber security services is that businesses often don’t know that they need any advice on cyber security until it is too late. Essentially, how do you go about selling someone something that they don’t know they need?
The answer is education and awareness to businesses at all levels.
Cyber Security, like physical security, should be viewed in the same light as any other risk held and managed by the organisation. However, at the moment these cyber risks simply do not appear on the list of risks that need to be considered, let alone have any consideration given to how they should be mitigated, or if the current level of risk they present falls within the organisational risk appetite. The TalkTalk hack mentioned earlier is but one high profile attack, more of which seem to hit the news with increasingly alarming regularity.
A case in point
An example of the scale of the problem and the lack of awareness outside of the IT security sector was brought sharply into focus for me recently. A good friend of mine who runs a very successful online business (circa £10m annual turnover), did not see his business and livelihood linked to cyber security in the slightest. He only recently installed a firewall on his network, despite having traded online for almost a decade and had very little awareness of his IT systems and the security issues and risks that it, and therefore his business, was exposed to.
In order to increase his awareness, I briefly ran through a few scenarios of what could happen, for example, if there was a loss of availability to his network through malware being installed, or more worryingly the loss of client data that will be punishable under the GDPR legislation that comes into effect next year.
GDPR? What’s that then?
The Global Data Protection Regulations will come into force in May 2018 and replace the outdated Data Protection Act from 1998. These regulations are likely to be a key driver in changing company cultures from a reactive to a proactive cyber security stance, as non-compliance could leave your business with a fine of up to €20m or 4% of your global annual turnover, whichever is greater.
The way ahead
Organisations will need to be very clear about what types of data they hold and process and, as a result, what their legal requirements are. Network architectures and system settings should be configured to ensure that only those that need access to certain data types can get to it, as well as devising policies and procedures for dealing with any security incident that might occur. This is where proactive cyber security advisory services come in. Many businesses are now realising that it is often more cost efficient and more effective to employ the services of experienced independent experts to provide advice on cyber vulnerabilities, associated business risks, and to offer credible solutions as to how those risks can be managed optimally.
Good cyber security is a blend of, people (leadership, culture and training), well tried and tested processes (governance), technology (protection and detection), and preparedness (resilience), supported and underpinned by a mature IT solution and sound physical security controls – does this describe your business?
Cyber criminals are becoming increasingly adept at refining their technological capabilities. So rather than waiting to become a target and victim, now is the time to adopt a proactive stance; to remain legally compliant and understand your current cyber security risks so that they can be managed appropriately – it’s not if, but rather when your business will be targeted. Don’t be caught unaware…
Look out for my next blog post on Security Operations Centres and why they are so important.
Contact and Follow-Up
John works in our Cyber Advisory team, from our Cheltenham office. Prior to Context, John was a military man having served for almost 17 years as an Officer in the Royal Corps of Signals, deploying and managing IT and IS around the globe. He can often be found either climbing a rock or running up hills. See the contact page for ways to get in touch.