Cyber Risk Management is not purely a matter for the IT manager to assess but should be a prominent feature within an organisation’s risk management function. From the boardroom downwards there needs to be a thorough understanding of the constantly changing technology related business risks.
All types and sizes of organisations are at risk but some are targeted more than others namely on-line retailers, hospitals , financial services firms, hotel chains , educational establishments, and infrastructure organisations.
Management Special Interest Group (SIG) conducted extensive research into the dynamic issue of cyber threats to business, governments and global enterprises and have produced a practical guide for risk professionals and senior executives to help them understand the issues of cyber risk.
It is a concern that many companies still don’t have a full appreciation of cyber risk management and it is therefore important that this mentality is changed in today’s constantly changing business environment.
No business is 100% secure from cyber crime or a data breach , businesses should allocate adequate resources to build a high level resilience able to combat the majority of threats.
In assessing a comprehensive risk management plan a business should draw up a list of what they consider to be their main risks and then how they wish to protect them.
Typical risks that should be reviewed are as follows:-
- The value of their intellectual property
- Where is their data held and what type of data is it ?
- Does the company rely on third party providers for technology or services ?
- Contractually what recourse does a business have to a third party provider in the event of technology incident of security breach?
- Does the business use a cloud provider ?
- How old is the businesses software , is this patched regularly , when was the software last upgraded ?
- How secure are business’s anti-virus firewalls, when were they last tested by an outside penetration testing company ?
- Does the business utilize intrusion detection devices?
- Are the employees trained to deal with an attempt to access your network ? would they recognize a phishing attack ?
In response to this the following are good starting points to manage these cyber risks :-
- Consider the appointment of a cyber security specialist to carry out an external review.
- Ensure the businesses continuity plan (BCP) is update.
- Ensure a disaster recovery plan (DRP) is in place.
- Assess the need for cyber liability insurance to manage cyber risks that you consider still pose a security threat to the business.
Cyber risk management is very much a moving target as hackers become more sophisticated in their attacks and techniques , anti-virus software that may have been effective six months ago could be outdated now so it is very important that business try and stay ahead of cyber threats in this dynamic environment.