be tackled with insurance alone. In some cases, even a significant insurance pay-out may prove inadequate in the face of sliding customer confidence and corporate reputation.
Hackers are increasingly playing the long game and a number of recent high-profile incidents have shown that perpetrators have been able to maintained access for weeks or even months, before the breach was discovered. But in reality, not all hacks can or will be prevented.
Corporate Britain must, therefore, take responsibility, alongside insurers carrying the underwriting risks, to improve cyber resilience. It is a process that should start with a wide-ranging security assessment, carried out by an external third party. The assessment is an in-depth review of the company’s risk profile, based on the specifics of how it does business, how its network operates and the kind of information held by the company. In scope, the assessment is much wider than a traditional IT audit, as the primary focus of a conventional IT audit is to ensure that the company meets a certain predefined security standard. Through this assessment companies can prioritise their security needs and make intelligent decisions about what they need to do to reduce their actual risk – not just to meet an arbitrary and often inapplicable standard.
However, relying on an IT audit alone amounts to 'checklist syndrome', which could see the security strategy fail to address the real-life business risks, even though the demands of the security standard were met on paper. While standards are important, it is worth keeping in mind that almost every high-profile breach in the recent past occurred after the corporates had passed their IT audit and been certified as compliant with the relevant security standard. By contrast, a company’s security assessment will allow management to judge a company’s central risk profile and take steps to reduce that risk.
The security assessment will determine the extent to which security is seen as a companywide priority, as IT security cannot be the exclusive domain of the IT team. Everyone involved in using the IT systems has a crucial role to play. Organisations should aim to foster an environment where users are alert to what a threat may look like and know how to respond and who to contact, without fear of reprisal.
Imposing IT policies from the top, without really setting out why a particular policy is being implemented, is a process that is fundamentally flawed. Users need to understand the rationale behind IT policies and only where individuals understand why restrictions have been introduced will they avoid bypassing or undermining these rules and, inadvertently, creating new vulnerabilities in the process.
Education is not only useful to ensure compliance with security standards, it is also critical that users do not become the weak link in the security chain. Individuals must be taught to be vigilant about such email attacks, which will make it more difficult for attackers to catch someone unaware. However, this is not the end of the process. Users also need to understand what to do if they suspect a problem after they click on a suspicious link or open a mysterious file.
Careless executives or disgruntled employees represent a significant risk to cyber security, according to a poll of US companies. The Stroz Friedberg 'On the Pulse: Information Security Risk in American Business' survey found that a key challenge for companies is to strengthen cyber security from within, with 87% of senior managers regularly using personal email or cloud account to work remotely, placing such information at a much greater risk of being breached. The survey also found that more than half (58%) of senior management reported having accidentally sent the wrong person sensitive information, compared to just one quarter of workers overall.
The concerns raised by US insurance executives over the heightened risks of cybercrime are not universally recognised by senior business leaders, with reports suggesting widespread indifference to data security. However, as further evidence emerges of corporate systems being penetrated by hackers, executives will have no option but to accept their governance, legal and regulatory obligations. The financial services sector must play its part in ensuring that organisations take steps to safeguard sensitive and confidential information.
|