The cyber health of an organisation can be measured with some accuracy. A company’s attitude towards its cyber security, training, accreditations and insurance gives a clear picture of how well-managed cyber risk is by that individual firm.
For many firms, however, their measured score on this topic would be disappointingly low. Cyber risk has been a buzzword for the last three or four years, and corporate focus has heightened further due to the GDPR legislation, which shifted responsibility for data security firmly into each individual firm’s lap.
Firms such as British Airways have lost or been fined millions for cyber breaches, and many organisations, including NHS hospitals have had their operations closed down temporarily by cyber hackers.
Human nature is the problem
But human nature is amazingly resistant to change. In spite of numerous high-profile attacks in the last couple of years, there is still a fundamental lack of true cyber awareness in many businesses and a low adoption of cyber basics. Just take a look at your own online profile and consider the following statements.
- We all know we should change our passwords often (but rarely do).
- We all know that we shouldn’t open suspicious looking emails and links but we often do it anyway.
- Many organisations have outdated firewall and anti-virus software, in spite of having teams dedicated to managing their cyber security.
Training can help
The unpalatable truth is that the cyber security community is beginning to understand that corporate firms need government support. This is most important in the areas of education and training. In most regulated industries there is a requirement to Know Your Customer (KYC). It is also mandatory for the company to deliver ongoing training and learning programmes to all staff, as well as CPD (continuing professional development), and compliance training.
Love or hate the regulated environments that exist, they promote and maintain high levels of safety and financial security for the industries they serve.
By contrast, the 2019 UK government survey on cyber security found that only 38% of small firms were aware of Government cyber security initiatives and accreditations, rising to 48% in large firms*. However, 80% of the cyber-attacks occurring every year could be prevented by adherence to the five controls recommended by the UK Cyber Essentials training programme
Now, for the first time, decisive steps are being taken by the government to provide education and training, and firms need to be aware of them. The Cyber Essentials Scheme was first off the blocks. This is the UK government accreditation, designed to educate the workforce, and protect organisations from the most common cyber-attacks. Find out more at https://www.cyberessentials.ncsc.gov.uk
The Cyber Essentials programme had an initially high uptake but, has since disappointed with low corporate retention. Many firms have slipped behind and are now non-compliant with the accreditation. This lack of focus has forced the government for the first time to take measure to push education in the field.
From 2020 all UK government vendors will be required to hold the Cyber Essentials accreditation, and to keep it updated. This move is intended to create a non-regulated half-way house, making it important for firms to become accredited; and for the Cyber Essentials credential to become widely accepted as a pre-requisite for doing business with any organisation.
Regulation is not here yet, but it is clear that the government is serious about ensuring firms prioritise and manage their cyber security. Firms who do not currently do this need to up their game.
Attack the issue on several fronts
Even if your firm is not prepared to work towards Cyber Essentials, there are other steps that can be taken. All firms, no matter how big or small, should be reviewing their cyber exposure and regularly checking the controls they have in place are adequate. Educating the workforce is a further important step to consider. All this can then be supported by a cyber insurance policy, which if these measures fail to prevent a cyber incident, will help an organisation to mitigate the effects both during and after the event, and get back on their feet again.
In summary, there is much that can, and should be done to protect a firm of any size against this new and pervasive risk to businesses.
If you fit into the category of ‘let down by human nature’ and would like to do more to cyber-secure your organisation, here is our checklist of steps to take to improve your cyber status:
- Check your GDPR position and ensure you are compliant
- Sign up to Cyber Essentials, and ensure you stay current with training requirements and updates
- Invest in education for your workforce – helping them to behave in a safe and secure manner online
- Protect your organisation with a cyber insurance policy, should the worst happen
Tom Malcolm is Head of UK Cyber at New Dawn Risk and advises clients on all aspects of cyber cover, protection and risk. For further information please get in touch firstname.lastname@example.org