Cyber risks should be high on the risk management agenda of all businesses as incidents hit the headlines with increasing frequency. In this guide we look at how businesses can understand and manage cyber risk.
Cyber risk can be grouped broadly into two types:
- Operational cyber risk concerns the risk to business continuity if organisations are denied their electronic systems.
- Information cyber risk arises because of the digitisation of data and information. Never before have organisations been able to hold and transfer so much data with such speed and ease. A significant part of information cyber risk relates to the growing legal regulations and sanctions associated with data.
It is important to note that neither operational nor information cyber risk are limited to hacking incidents. Exposure to such risks can arise from employee and software errors. Nowadays, virtually every organisation operates electronically in some way and therefore faces a cyber exposure.
Managing cyber risks
The operational, financial, legal and reputational exposures arising out of cyber risks are becoming clearer by the day, fuelled by publicity and a compensation culture around privacy as well as increased regulation in the form of the General Data Protection Regulation (GDPR) which came into force in May.
Organisations should look into which preventive measures (risk management) they can use and how well equipped they are to react to an incident. Some specialist cyber insurance policies offer policyholders assistance with the management of cyber risk including access to legal and cyber experts in the event of a claim.
Not all cyber risks can be anticipated or prevented, so an effective insurance policy will help organisations to respond to cyber incidents and should form part of any risk transfer exercise.
The National Cyber Security Centre (NCSC) has published a 10 steps to cyber security guide which will help any business to understand how they can be more secure:
10 Steps To Cyber Security
1. Risk Management Regime
Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. Clearly communicate your approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.
2. Secure configuration
Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.
3. Network security
The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding (or causing harm to your organisation). Your organisation's networks almost certainly span many sites and the use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, think about where your data is stored and processed, and where an attacker would have the opportunity to interfere with it.
4. Managing user privileges
If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that users account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.
5. User education and awareness
Users have a critical role to play in their organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.
6. Incident management
All organisations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. You should identify recognised sources (internal or external) of specialist incident management expertise.
7. Malware prevention
Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall 'defence in depth' approach.
System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.
9. Removable media controls
Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.
10. Home and mobile working
Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Train users on the secure use of their mobile devices in the environments they are likely to be working in.