Boards must educate themselves on cyber, or risk high cost and damage, says Richard Anning, ICAEW Head of IT, talking to CEO Today below about the mass of companies being targeted in cyber threats.
Cyber security has been headlining the news recently, with some high-profile cases resulting in huge costs and damage to the businesses involved. It’s hard to ignore what is currently one of the biggest threats to business, but easy to suspect that many have the opinion that ‘it will only happen to other people’.
The reality is, while larger companies being breached is of interest to the media, what is often not reported is the smaller companies who are also being targeted – and actually suffering more. The truth is that every organisation is at risk, and everyone has data worth stealing.
It is surprising then that, at board level, cyber security doesn’t seem to be top priority for some companies. What is even more surprising is that one third of businesses who have experienced a cyber incident in the last 12 months, have not changed anything. Cyber breaches can cause businesses to lose clients, business partners and cause reputational damage – so why are boards not taking action? According to the Cyber Security Breaches Survey 2017, where businesses say cyber security is a low priority, the reason given is that it is ‘not relevant’ to their organisations. However, 29% of businesses giving this reason were victims of a cyber-attack in the last 12 months, suggesting the reality is rather different.
The best ways to increase cyber security are to ensure top level management is involved and introduce employee training. Cyber threats can be internal, as a result of human error, negligence, fraud or as a result of an HR incident. It is therefore vital to train people within the business on both preventing a breach, and reporting one, especially with the implementation of the General Data Protection Regulation (GDPR) next year. Strategy and process-related steps are important in cyber management – and do not necessarily mean major cost. Raising visibility of cyber threats in your business will go a long way to preventing them.
As awareness of cyber security increases, cyber insurance is something businesses might begin to consider – many already will have. In the US, mandatory reporting of financial breaches has increased visibility of the problem and made cyber insurance very popular. Here in the UK, we are just 10 months away from implementation of GDPR, which is likely to have the same effect on cyber insurance here. GDPR will require certain types of data breach to be reported to the relevant authority, and in some cases to the individuals affected. This should be a cause for concern, as the consequences of failing to comply are not light.. Failing to notify a breach can result in a significant fine, up to 10 million Euros or 2 per cent of the company’s global turnover. Moreover, as the timescales for reporting a breach are relatively tight (72 hours from the business becoming aware of it), it is vital to have strong breach detection and reporting procedures in place.
The cyber insurance industry has the potential to help protect businesses, and so it is important to make sure cover is easier to understand. The evolving nature of cyber threats is a huge concern for business, but worryingly many businesses seem to be deterred from taking out insurance as they would have to undertake other security measures first. Another problem is that cyber insurance can present significant complexity and be difficult to understand. The industry is one of the fastest growing areas worldwide, with many different insurers offering a range of policies. To a board that is not tech-savvy, this could be overwhelming.
One of the more important things businesses should look out for is good claim response time – being able to respond quickly to a breach is vital, not just to minimise the damage, but to protect the reputation of the business. Some insurers will have a panel of experts on hand such as IT forensics, legal and PR – whereas others will operate in a similar way to other insurers. The traditional process means the affected business will need to source a firm, get the costs approved by the insurer and then claim the money back afterwards. This is more expensive and less time efficient. Without any cyber security management or insurance in place, for SMEs the average cost of a cyber attack is £1,380. When we consider that one third of businesses surveyed reported a cyber attack once a month, and 13% reported a breach every day, the annual cost could be huge.
Cyber security management needs to become a top priority for all boards, as every organisation is at risk – no matter what size. Education is vital. Top level management will want to educate themselves on GDPR, the potential of cyber insurance and the importance of great cyber security management – but will also find it beneficial to educate their workforce on the importance of increased security. Ultimately, no business can protect itself completely, but there are steps that can be taken towards minimising this common, but serious, risk.