Getting it in front of the board
For any security regime to be truly successful it must be sanctioned and driven from the executive board level to ensure it sweeps down through the organisation and is taken seriously.
It is however, relatively rare to see a board level executive with responsibility for security. Typically this falls to a CIO or someone who has authority rather than advisory powers, often just below board level.
The government guide quite rightly suggests that cyber risk should be addressed regularly at board level. This would be a significant step and one that shows cyber security is being taken seriously.
Consequences of failure
Time and again we see instances where cyber security isn’t taken seriously and the consequences for the companies involved can be huge. In the US, Target a national retailer suffered a serious breach in which 40 million credit and debit card details and 70 million customer records were stolen.
The breach had a devastating effect on reputation and revenues plunged by a staggering 46 percent in a quarter-on-quarter comparison.
In the UK, TalkTalk CEO Dido Harding was also under pressure following a breach of a customer database. The company had clearly learned lessons from other major breaches such as Target and Sony, and didn’t attempt to confuse the issue. It quickly came clean about the breach.
When interviewed by national TV, Harding put on a brave face and accepted responsibility however, it was quite clear that she was out of her depth in talking about the breach and whether data was encrypted or not.
Taking it seriously
The one way to get the interest of board members is to speak to them in a language they understand such as potential reputational damage, the impact on revenues, loss of customers and other strategic issues.
With the Information Commissioner handing out fines of up to £500,000 for leaking customer data, it is not a subject to take lightly. These points may seem dramatic however it reflects the seriousness of cyber-breaches.
Identifying vulnerabilities that can lead to a breach is achieved by carrying out a risk assessment. In fact, this is the first essential step in developing and implementing a security policy. A risk assessment requires a thorough analysis of a company, its assets and its value. Typically this is intellectual property and customer details.
Asking the right questions
It’s important to ask questions when dealing with cyber security. Where is data stored? Is the database secure? Is the website secure? Where does data travel in and out of the network? What is the BYOD policy? Are software updates carried out regularly? Who has responsibility for network security?
Once you have the answers to the above questions, a security policy can be developed along with an Information Risk Management policy. This will outline any areas of responsibility, compliance requirements, incident management, monitoring and reviews and so on.
A lifecycle approach is also essential to risk management, where policies undergo regular review to take account of new developments. For instance, if the organisation is beginning to incorporate Internet of Things technology into operations this needs to be taken into account, with vulnerabilities assessed and security enabled.