Why board level commitment is a vital part of cyber defence
It is difficult to defend against an attacker who only needs to succeed once. Security systems might defend an organisation 99 times out of 100 but faced with a relentless campaign which identifies and targets any cracks, it is almost inevitable that at some point, somewhere, the attacker will succeed.
Data and personal information are valuable commodities and their theft is the most common form of cyberattack. Recent high profile hacks have demonstrated the vulnerability of even very large organisations like TalkTalk and the NHS. These prompted the Government in November 2016 to announce a £1.9 billion investment to help UK businesses protect themselves.
Imminent new legislation is also in place to help provide organisations with a robust data protection framework in which to operate. If the hackers are the criminals, these are the laws that the relevant authorities (the Information Commissioner’s Office) enforce. Failure to comply with the new Data Protection Bill and General Data Protection Regulation (GDPR) from May 2018 will result in significantly higher levels of fines. And this has certainly focused the attention of many of the FTSE 350 boards surveyed in the recent Government Cyber Health Check.
The report found that awareness of GDPR is good, with 97 per cent of firms saying they are aware of the new regulation. But levels of readiness vary. 71 per cent said they are ‘somewhat prepared’ to meet the requirements of GDPR but only 6 per cent are confident that they are fully prepared.
This is perhaps not surprising given that only 13 per cent say that GDPR is regularly considered at board meetings. This is dangerous thinking. When it comes to data protection it is simply not reasonable or effective to make it the sole responsibility of the IT department. The same is true of cyber defence. These are board level issues and need to be embedded into the board’s approach.
It is no longer acceptable to simply be reactive; every board should be proactive and include an assessment of the current risk and review any potential security issues on its agenda on a regular basis. A security sub group can effectively manage this vital aspect of the business but it must have board level endorsement and input. The aim should be to implement a company-wide cyber security strategy which is constantly challenged and re-enforced.
Given the fact that the threat landscape is always changing, another essential element of every organisation’s cyber defence should include a strategic plan in the event of breach. To minimise its impact swift remedial action is vital. A strategic plan will help to ensure effective business continuity and protect from loss of income and reputation. This plan may include working with Retained Forensics (PFI) experts. Not only can they assist the board in the implementation of a robust and strategic defence, but if (or when) a breach occurs their detailed knowledge of a company’s systems will ensure business continuity and minimise the damage to finances and reputation.