Given that the Petya ransomware attack in June paralysed thousands of companies worldwide – and that a firm breaching the EU’s General Data Protection Regulation (GDPR) next year could be fined up to €20m (£18m) – cyber security is clearly a crucial issue for all businesses. But a recent IoD survey has found that, while 91 per cent of members regard it as important, only 57 per cent have established a formal cyber security strategy. The IoD’s Information and Advisory Service has the following guidance for the many that have yet to act.
The board is ultimately accountable for the protection of corporate systems. So says Richard Benham, Oxford professor of cyber security management and the author of a 2016 IoD policy report entitled Cyber Security.
“This issue must stop being treated as the domain of the IT department and be the subject of boardroom policy,” he stresses. “Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”
Analyse the risks
Directors need to ask themselves: how confident are we that our key information assets are protected? Who might compromise their security? What forms might the threat take? What effects couldan attack have? Doing this will help you to implement suitable controls and determine what good practice looks like. Repeat the procedure regularly, continually reassessing the effectiveness of your measures. If a third party manages your IT services, review your agreements with it and ensure that those handling your data also apply these controls.
For a detailed breakdown of this approach to risk management, see the National Cyber Security Centre’s 10 Steps to Cyber Security report, which is used by most of the FTSE 350.
Know the law
Ensuring that your business follows the strict data protection principles outlined by the Information Commissioner’s Office (ico.org.uk) and enforced by the Data Protection Act 1998 will help to shield it from attacks, prosecutions, fines and reputational harm. These stipulate that the data held and processed by your firm must be kept securely; be used fairly and lawfully for specific, limited purposes; and not be moved outside the EEA without adequate protection. Also, planning and implementing the changes that your firm needs to make to comply with the GDPR now will ensure its readiness for the legislation when this comes into force in 2018.
Get the fundamentals right
Applying basic, effective measures to protect your company’s systems will mitigate many of its cyber risks. You should download and install software updates as soon as these become available, as they usually contain security patches. This may seem obvious, yet a large number of firms still fail to do this. Similarly, use strong passwords; delete all suspicious emails, which could contain malware or be phishing attempts; and always use up-to-date anti-virus software.
The most crucial measure is to train all staff in these basics and keep them abreast of the latest threats. Human error is often at the root of a breach – the mere opening of an email attachment by an unwitting employee could cause one. You therefore need to develop a security-aware culture. The government’s Cyber Essentials scheme (cyberaware.gov.uk/cyberessentials) is a good starting point for this. Setting out five controls to reduce your company’s vulnerability, it’s suitable for organisations of all types and sizes.
Insurance is not yet widely viewed as a cyber security measure. Indeed, only 20 per cent of IoD members have taken out such cover for their firms. But products in this area can insure against a range of risks, including network security liability, data and software damage, business interruptions and reputational harm. Although some events, including the theft of intellectual property, remain uninsurable because the associated losses are hard to prove and/or quantify, insurance is likely to feature heavily in any effective cyber strategy in the near future.
Visit iod.com/information for further details about the Information and Advisory Service. This encompasses the Business Information Service (iod.com/research); the Directors’ Advisory Service (iod.com/advisory); and helplines offering tax advice (iod.com/taxline) and legal guidance (iod.com/lawexpress)
Become a member of the IoD
The IoD has a range of memberships for directors, founders and co-founders, providing all the resources and facilities needed to enhance your business. To find out more about membership offerings and to join today, visit iod.com/membership