The chances are if you were not aware of the importance of cyber security two years ago, you are now. Not a month goes by without reference to a cyber breach that has exposed private data to criminals or other malevolent hands, elections being compromised, national security threats, public and private institutions held to ransom, and consumer devices being taken over by hackers.
Cyber security is growing in importance as our world becomes ever more interconnected and digitised, but for those who are new to this field, including business leaders trying to gain a stronger understanding so they can start to shape decisions which will protect their organisations and industries, this article will provide the essential information you need to know.
What is meant by the term ‘Cyber-Security’?
At its core, cyber security refers to the prevention of threats to digital assets connected via the internet – this includes hardware such as computers, networks, connected devices, and software such as operating systems, databases, email, and business systems.
A more formal definition of cyber security is provided by the International Telecommunications Union (ITU), which states, “Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organisation and user’s assets”.
With each passing year, we are seeing more examples of companies that have become unwitting victims of cyber-attacks – including in the past couple of years, BA, Morrisons, the NHS, Uber, Fifa, Facebook, T-Mobile, and Dixons Carphone, to name but a few.
A robust strategy for cyber security is essential for avoiding large potential fines due to cyber breaches, serious reputational damage, and loss of revenue due to operational interruption.
What are main cybersecurity risks to businesses?
Those seeking to gain unauthorised access to your systems will be looking to exploit an existing vulnerability in relation to your:
- People: Even with the most robust systems and processes, your staff will play a vital role in ensuring the cyber security of your business. A staff member who does not adhere to policies and procedures designed to prevent a cyber breach (e.g. by using an obvious password or leaving their computer accessible) poses a risk to your entire organisation.
- Processes: Effective cyber security is dependent on processes and procedures which are well communicated through ongoing training, understood, and followed by all staff.
- Technology: Hackers will seek to exploit technological vulnerabilities at all levels – including telecommunication, computer networking, server hardware, and software (whether within the organisation or in the ‘cloud’). Strategies used by hackers include ransomware (as used in the recent NHS attack) which require users to pay a sum of money to enable a computer to be used, phishing attacks which trick individuals into providing sensitive information such as passwords, malware, social engineering (using deception and manipulation), and trojan-horses. Poor IT procedures can also open your business to risk – for example by not installing new ‘patches’ which provide protection against specific vulnerabilities.
Cyber security must be a top-level consideration for businesses
It is tempting to believe that cyber security is a matter for the IT department, but as businesses have learned to their peril in the past decades, this is a poor strategy that results in systems, processes, and cultures which are not fit for purpose. As such, cyber security must be treated at the same level as the overall business strategy – that is, at the board level. According to the London Institute of Banking and Finance (LIBF), because board level directors often have access to highly confidential information, they themselves are often the target of hackers and cyber criminals.
But how can business leaders and directors take the reins of cyber security governance?
Ensure your top-level team receive cyber security training from the outset
Part of the problem is that many heads of business while they understand the basics of cyber security, they are not attuned to recent developments and threats, and ultimately do not understand the true exposure they are facing. Repetition is key as the risks and exposure faced is evolving constantly. Such training will then enable those at the top to implement the necessary structures and frameworks to manage cyber risks.
Implement a robust cyber security governance structure
Based on the size, nature, geography, and complexity of your organisation, putting in place a cyber security governance structure is the next vital step. This will ensure the strategy adopted is placed into the hands of those in the organisation that are best place to make decisions and implement change (which must should be overseen at the top level within your business). The National Cyber Security Centre (NCSC) (part of GCHQ) are an excellent source of information regarding the implementation of cyber security governance.
Once you have a suitable cyber security governance structure in place, it is then recommended that risks are managed by:
- Driving all information and decisions relating to cyber security risks and control through the governance structure
- Requesting quarterly reports from the cyber security governance team on the latest progress, risks, and actions
- Implementing a process for identifying and managing cyber security risks
- Documenting and publishing policies and procedures to ensure robust cyber security
- Keeping up to date with the latest threats by becoming members of the Cyber Security Information Sharing Partnership (CiSP)
- Viewing the risk management of cyber security as a life-cycle, both because new threats are always emerging, and because organisations implement new systems which require protection, as they grow
- Taking advantage of ongoing governmental assurance and certification to ensure existing your approach is in line with best practice
- Implement a cyber security training regime across your operation, from the top down, incorporating the latest threats and the processes and procedures used by your organisation. This must be updated and provided regularly to ensure employees are abreast of the latest developments in this area.
- Promoting a culture which encourages all staff to take cyber security seriously in every aspect of their role.
The NCSC believes that a life-threatening cyber-attack in the UK is almost assured, given the wide-range of threats both domestically and internationally. The threat may come from a botnet, a targeting phishing attack, ransomware, spyware, a trojan horse, virus, or a ‘distributed denial of service’ (whereby a website is rendered inaccessible by being inundated), or any other mechanism which not even exist yet – ultimately as a business leader it is your job to ensure your business is shielded from any attack. Regardless of where is comes from, whether in the early hours of the morning, and no matter how ingenious, by placing cyber security into the core of your business risk management strategy and culture, you will ensure your business does not suffer serious consequential losses.