How Boards Should Deal with Cyber Threats (£)
With the links between customer/client relationships, IT, press relations and commercial finance businesses must take more time and thought about their online assets and how they are affected by cyber threats and lack of market research.
Most businesses last year and this have been affected by cyber-attacks and the costs are now often running into the hundreds of thousands of pounds for each over the £10 million turnover scale with others still being serverely affected.
But more than half of the larger businesses, over the £10 million, and 70% of small businesses below £10m have proper cyber-hack insurance cover. Yet last year 2015 around 85% of UK businesses were hacked and the costs doubled from the previous year 2014.
The amount of time the issue is now taking up has grown significantly and requires a clear strategy and planning cycle that should be briefly but accurately reported to the board at least once a month.
There is still a real requirement for cyber understanding to be clearly given to Board members and each should have specific knowledge of the systems that the businesses are using, their age and capability and potential issues that occur with system functions and connections.
However, security and insurance are certainly not the only major issues – there should be continued cyber presentations and education available to Board and employees. This should include the obvious areas of concern and the use of personal computers and the security links used to access the systems. Discussion should also take place about education and improving employee IT knowledge and understanding and use for their particular jobs.
There is also a real need to appreciate how the market, jobs and competition are in this new environment changing the way they analyse and use cyber to understand and compete in the changing global marketplaces.
Do you have a clear and improving strategic and diagrammatic plan of the systems that are used and accessed by your business and employees? And do you have a plan for a response to a hack attack?
According to research undertaken for CSI more than 70% of Directors reported that their Boards were discussing cyber security and that this was a significant improvement on previous years.
In the US, 47 states have laws requiring that businesses give notice to individuals affected by a security breach. Massachusetts has laws that require businesses handling personal information implement a comprehensive written information security programme aimed at ensuring security is in place for employee training and regular information security programme audits.
EU General Data Protection Regulation (GDRP) effective 25 May 2018, will require that businesses provide “sufficient guarantees to implement appropriate technical and organizational measures” to protect the personal data of their customers and employees, including encryption of personal data and implementing a process for regularly testing, assessing and evaluating the effectiveness of security measures. In Canada, Germany, Israel, and South Korea information security rules also apply.
But often in many parts of the world these security measures are not easy to implement. what typically appear to be quite sensible measures that in practice are often complex to implement and impossible to guarantee.
Conclusions
Cyber security is no longer solely an IT issue. The Board must be cyber educated and aware of the business issues and actions. And they should also be aware and using the opportunities that cyber analysis offers to different parts of business planning and implementation.
Businesses and organisations must be aware of these risks and security requirements but they should also take notice of the opportunities that cyber analysis offers to their marketing, product development and sales areas.
For the Board and management, their concerns should be for protecting customer and employee data, financial records, and valuable intellectual property. But because no cyber security programme is perfect, more realistic goals are to ensure that systems checks/audits irregularly take place and that implementation has timely taken place for legal/government obligations and that the process is operationally defensible.