By 2022 it’s predicted that the number of people online will have reached six billion (Source: Cybersecurity Ventures) and the volume of data is expected to increase from 33 Zettabytes in 2018 to 175 Zettabytes by 2025. (Source: IDC) Defending this data from organised cyber crime represents a significant challenge that must be embraced by all businesses.
There is a common misconception that cyber security is an IT issue and that responsibility for managing and maintaining safety measures sits firmly with the IT department. However, this is to overlook the importance of establishing effective processes and ensuring that a cyber security culture is actively driven by the Board. We identify below four critical areas that, if addressed, will significantly mitigate cyber-related exposures.
Information Assets and Responsibilities
Firstly, define the primary information assets that are critical to your business and that need to be protected.
Then think about the risks associated with the information assets and the potential business impact should they be compromised. Taking this approach ensures you focus investment in cyber security where it can have the most direct impact.
Bear in mind that the information that you hold may also be subject to data regulations. In particular, it’s vital to consider the impact that the EU General Data Protection Regulation (GDPR) has on how you manage your data.
The Focus of the Board
Effective cyber security requires a combination of people, process and technology. The Board should take the lead and appoint a Board member with specific responsibility for cyber security. That person should focus on defining and managing cyber risks, establishing a cyber security strategy and cyber aware culture within the wider organisation.
Building a cyber-aware culture within your organisation is key. Remember that a substantial portion of risk derives from people, not technology. Staff should be trained in cyber security so that they understand the risks and commit to your cyber security culture. By actively preparing for a potential attack, e.g. simulating a spear phishing attack, you will increase awareness internally and prepare staff for similar events in the future.
Process and Controls
Operational level cyber protection requires dedicated leadership. Organisations should appoint a Chief Information Security Officer, or in smaller businesses have a senior staff member responsible for cyber security on a daily basis. It is their role to ensure that processes and technical controls operate effectively, including areas such as patching servers and backing up your data. Other responsibilities will include:
- Processes and policies, e.g. mobile devices, data protection, passwords.
- Technology controls, e.g. firewall, intrusion detection.
- Cyber security training and testing.
- Audit to verify capabilities.
Your organisation’s compliance with recognised cyber security standards should also be considered, with initiatives such as Cyber Essentials or Cyber Essentials Plus being a good starting point.
Cyber Incident Response Plan
The Cyber Security Breaches Survey 2019, endorsed by the UK Government, found that 60% of medium size firms had identified a cyber breach, yet only 38% have a formal cyber security incident process in place. There are no guarantees when it comes to cyber security, so businesses must be ready to respond when the worst happens. This can be a critical time, where decisions are made on a limited understanding of the situation. An incident response plan requires a multi-skilled team, which includes:
- A crisis management team to head up the leadership response.
- A communications team to manage the response to your staff, customers, suppliers and regulators.
- An incident response team to determine the facts and manage the restoration of business-as-usual.
- External advice, including legal, forensic and PR.
A tested plan will help your organisation to manage the incident and recovery, as well as protecting your customers, employees and reputation.
Intuitus’ due diligence services include a cyber security assessment service. Led by a security-certified (CISSP) consultant, this provides a tailored, comprehensive assessment of an organisation’s cyber security arrangements and defines a target level of cyber security maturity specific to the business, sector and investment thesis. Organisations will benefit from an actionable report and roadmap, which aligns any necessary cyber security investment directly to the needs of the business and its risk profile. A cyber security assessment may be a component of buy or sell side due diligence, or as part of a review of an existing portfolio, perhaps with an eye to exit readiness. The assessment could be repeated over time to demonstrate an ongoing reduction on value drag within a portfolio company.