Managing Corporate Risk in Cyberspace
Tom Martin-Ball, Alcumus ISOQAR’s Information Security Sector Manager, explains how businesses can enhance cyber security by investing in management standards.
As more and more devices become connected to the ’Internet of Things’ the more we expose our organisations to attack.
Four out of ten businesses suffer an attack each year, with recent statistics showing that 11% of those who have reported an attack revealing it has cost them more than £50,000. Yet far too few organisations have adequate defences.
It’s easy to see why criminals are attracted to this arena: it’s hard to police, the chances of getting caught are low - as are the penalties - and the prizes are potentially vast. Many hackers enjoy it for the sheer devilment.
So what can you do about it, and why aren’t more organisations taking it seriously?
The General Data Protection Regulations (GDPR) caused many to sit up and establish policies regarding the collection and storage of personal data. But for the most part the scope of those policies has not extended to cover the wider challenge of cyber security.
The government’s Cyber Essentials (and Cyber Essentials Plus) certification scheme, which encourages self-help for organisations to implement basic technical controls, is a good starting point but has its limitations and has seen low take up.
The reality is that the number and seriousness of attacks could be reduced if senior management gave higher priority to this issue.
The National Cyber Security Centre’s 10 Steps to Cyber Security guidance places ‘Risk Management Regime’ at the top and identifies this as a board level responsibility. It’s essential that the same level of rigour is applied to assessing cyber risks as to any other aspect of the business. They NCSC says that this can be achieved by “embedding an appropriate risk management regime across the organisation, which is actively supported by the board, senior managers and an empowered governance structure”. Conversely, it is important that the board balances risk against opportunity, and this can only be achieved at a strategic level. Risk decisions taken within a dedicated security function, rather than organisationally, may focus solely on achieving high levels of security. This may result in an overly cautious approach to risk, leading to missed business opportunities or additional cost.
By far the best way of taking control of cyber security is through the use of management systems.
The holy trinity when it comes to cyber security includes:
ISO 27001 - Information Security Management ISO 22301 - Business Continuity ISO 20000 - IT Service Management
These three standards help ensure that at strategic and operational levels you have systems in place to protect your organisation against attack, limit any damage and get back up and running as swiftly as possible.
Learn more about the role of certified management systems in cyber security by downloading our whitepaper Managing Corporate Risk in Cyberspace.