Tackling cyber security from the top

Despite widespread news coverage and a seemingly never-ending list of high profile cyber-attacks – such as this year’s ransomware attack on the NHS or the hack on TalkTalk in 2015 – Government research[1] claims that two out of three bosses at the UK’s biggest companies have not been trained in how to tackle cyber-attacks. Further, a worrying 10 per cent don’t even have a plan in place to respond to a potential attack.

To mitigate the dangers of increasingly prevalent cyber-attacks, the Government recently announced a ?1.9 billion investment to help UK businesses protect themselves. However, more needs to be done. As Matt Hancock, the Government’s digital minister said: “Recent cyber-attacks have shown the devastating effects of not getting our approach to cyber security right. These new reports show we have a long way to go until all our organisations are adopting best practice.”

The heat is on

Cyber-attacks are more prevalent than ever before, and the unfortunate truth is that it is now not a matter of if, but when. Thankfully, many boards realise this, with more than half saying they consider cyber-attacks to be one of the biggest risks they now face. Driven mainly by the threat of huge fines from the likes of the GDPR regulation[2] and others hanging over them, boards are under increased pressure to ensure their networks are robust enough to cope with a cyber-attack.

The days where a firewall would provide suitable protection have long gone. Boards now need to look at a mixture of proactive security measures to ensure frequent reviews of security related logs, and they must perform regular vulnerability scanning to highlight possible points of weakness.

 

A tailored solution

Cyber-security awareness needs to come from the top. The board should review security regularly within board meetings and determine the level of risk that is acceptable. Further, they should set up a security sub-group to ensure cyber awareness buy-in from top to bottom and task them with educating those around them on the dangers of the various emerging modern-day cyber-attack vectors.

This security sub-group should meet regularly to review potential security issues to ensure the right focus is placed internally on security related issues. They should also drive forward the drafting and adoption of a company-wide cyber security strategy, encompassing a set of best practices that covers every eventuality and outlines everyone’s role in the event of an attack. 

For these strategies to be truly beneficial though, each one needs to be specifically tailored to the nature and needs of the business it intends to protect; simply taking someone else’s strategy and swapping the names around will not yield any positive results. 

Lifting heads from the sand

Historically, many organisations’ approach to cyber security was just a reactive one, only doing something once they had experienced a breach. Prior to this they would blissfully bury their heads in the sand. However, with research finding that just under half (46 per cent) of all businesses in the UK have detected at least one cyber-attack within the last 12 months[3], they need to be more proactive. In fact, of those businesses that had admitted detecting an attack, over a third (37 per cent) said they typically experience an attack at least once a month, while over one in ten (13 per cent) said they now come under attack every single day. 

The tide has certainly turned regarding acceptance of the fact cyber-attacks are now almost inevitable. Security is at the top of almost every organisation’s agenda, and budgets have become larger. However, there is still a lot more that needs to be done for companies to approach cyber security effectively.

 

Time to be proactive

Businesses need to adopt a proactive approach towards cyber security. No longer can they afford to simply sit back and wait for an attack to present itself before considering the most appropriate way of dealing with it; the threat is too great and the consequences too severe. All businesses – no matter their size or sector – need to transition from an ‘if’ to a ‘when’ mindset. This involves proper preparation and comprehensive planning for any potential cyber-attack scenario. 

As cyber-attacks grow in both sophistication and frequency, the board has an increasingly important role to play in protecting the business and helping mitigate risk. Effective 21^st century cyber security requires a multi-layered approach that constantly evolves to meet the needs of the business and address the ever-changing threat landscape.

A large part of this includes involvement and buy-in from the entire organisation, top-to-bottom. It also requires a significant focus on mitigating the risk of human error through user education programmes, as users remain the most common point of failure.

By taking all of these points into account and developing a thorough plan that is communicated across the organisation, you can ensure a much stronger level of defence against all common forms of cyber attacks.