Many of us have seen continued cyber-crime coverage in the national and global press. From large retail giants such as Target that lost up to 110m customer records, to the cyber blackmail threat against the European Central Bank in July of this year.
GCHQ also warns that cyber-attacks against small and medium-sized firms are on the rise with well over 60% of SMEs reporting a cyber-breach in 2013. This echoes what we’ve been seeing on a global scale. SMEs are often a much easier target as they are less likely to invest heavily in cyber-protection and are more likely to be running older legacy systems and networks. It seems that no organisation, large or small, can escape their responsibility to ensure they have robust cyber security controls in place.
It is important that organisations also take a holistic view of cyber security to ensure there are no gaps. The interconnectivity of organisations, people and third party suppliers – particularly with insurers who typically have a large supply chain including coverholders, brokers, agents and the growing use of the cloud – is far too important a risk to ignore.
The regulatory landscape is also responding, perhaps belatedly. The waking shark cyber security assessment, which brought together the main regulators with the banking industry, is a good example of the deep investigative reviews we expect the regulator to continue to take in this complex area. The 2014 FCA business plan also confirms more cross-financial sector investigations into the extent to which IT risks are visible to Boards and whether Boards are equipped to understand emerging IT risks such as cyber threats.
We have also seen other government sponsored initiatives such as the Cyber Essentials scheme, part of the UK national cyber security strategy being rolled out in 2014. The government scheme is useful for firms that are unclear on where to start and is designed to address up to 80% of the most common cyber-attacks. Make no mistake – the Cyber Essentials scheme is a starting point only. The sheer pace of change and continued exponential growth in cyber-attacks means that firms will always struggle to keep up.
Firms need to take three key steps to protect themselves against a cyber-attack:
- Firstly, you need to test and secure your company's network. Get the basic security hardening principles right – the Cyber Essentials scheme is a very good starting point.
- Secondly, you need to ensure effective awareness and training on good security practices. It is widely recognised that the most common entry point for cyber-attacks is via your staff, third parties and contractors.
- Finally, ensure that your Board has sufficient visibility of IT risks including cyber threats. Having executive sponsorship of your cyber initiatives, covering threats, risk mitigation, escalation and recovery is an essential component of an effective, end-to-end cyber-security framework.
For more information on cyber security, please contact a member of our team