While more and more companies are embracing technology to transform their business and drive growth, too many are forgetting the need to equally prioritise cyber security to mitigate against the risks that come with increased technology use, writes Peter Barnsley, Director Cyber Security at the cyber firm 6point6.
More technology means more entry points for cyber attackers to infiltrate a business, disrupt operations or steal sensitive data. This lack of prioritisation often stems from a lack of cyber representation at the top level responsible for creating business strategy. The board of directors must ensure they fill the vacuum of cyber risk awareness and understanding, and provide cyber security with the investment it needs to operate successfully.
If SMEs want to introduce more technology into their business, they need to ensure there is an accompanying focus on cyber security and this is best approached with a designated cyber leader. This is an ongoing issue even in larger companies where cyber security has previously been tacked onto another board member’s responsibilities, often those dealing with risk management within the company. Many don’t have direct cyber experience and so cannot make informed decisions necessary for a successful cyber security strategy.
Too often boards will focus on reducing cost instead of setting aside investment for managing cyber risk. This can stem from a lack of awareness of the risks relating to cyber security and the potential disruption and damage a cyber incident can cause. Having a cyber leader with experience in the industry represented on the board, most appropriately as a CISO, can introduce better awareness and understanding of cyber security. Ultimately this ensures that a bespoke strategy is implemented and that the cyber team is awarded the appropriate investment and resources needed to protect the company.
Feeding into risk management
While companies will typically have a general risk management strategy in place already, it’s time for cyber risk management to be given high priority within that arena. Often risk management is not given the correct time and attention at the higher level, with some board members potentially unaware of their key risk indicators or what the company’s risk appetite is, let alone what cyber threats the business will be facing. Companies may end up with pockets of good practice dotted around the business when it comes to risk management simply based on which members of staff have the correct knowledge and experience.
To ensure that good practice is adopted by the entire company, it must start from the top. Ensuring there is an appropriate cyber leader can help the board understand the finer details of the cyber risks the business is exposed to and the potential consequences of a cyber incident. In turn, the cyber leader can then create a bespoke strategy for approaching cyber risk management.
This should always begin with a cyber maturity assessment to understand and dissect the cyber weaknesses within the company – be that people, process or technology – and the potential ways these vulnerabilities may be exploited. Based on this assessment, the cyber leader can create and deploy the appropriate security strategy to mitigate these risks.
The cyber strategy must include both proactive and reactive security policies to ensure that as much as possible is being done to prevent cyber attacks and that in the event an incident occurred, the company would be able to immediately respond with the most appropriate actions. Often labelled as Business Continuity and Disaster Recovery planning, it’s important in helping companies prepare for any incidents such as data breaches, ransomware attacks or system outages. Businesses should have appropriate measures in place to ensure operations can become fully functional again, as well as policies to tackle any other side effects such as reassuring clients and customers and protecting the company’s reputation.
While it is not always possible to prevent a cyber incident from happening, having a cyber leader and strong governance within the company to enact real change will help drive down the number and scale of incidents. A cyber leader can ensure a consistent approach to risk management can be achieved, providing the company with the necessary tool sets to mitigate risks. Having a CISO function or similar will also aid compliance if any cyber incidents need to be referred to any regulatory bodies. While their role is cyber-specific, a cyber leader is ultimately working to safeguard the company and its operations, protecting its assets, finances and reputation.
