‘…cyber security is a business risk. And it needs to be treated like one. That means you have to understand it. People at board level need to understand the basics of cyber attacks, cyber risks and cyber defences.'
NCSC
Risk management isn’t a mystery to the world of business. We’re all familiar with the notion of identifying potential risks to systems or assets, analysing their possible impact and taking precautionary steps to avoid them. Whether the risks are legal, financial, or operational, anyone with their head screwed on knows how vital it is to second-guess what could loom around the corner and take action to prevent or minimise disaster.
But there’s a new kid on the block now – cyber risk management.
With society increasingly reliant on digital technologies there is an expectation – often a regulatory requirement – that these technologies will be safe, reliable and confidential. But obviously things can – and do – go wrong, sometimes with major financial and reputational consequences.
No organisation has a magic money tree, or a crystal ball to predict when or how where a cyber attack could materialise, so some shrewd decisions are needed as to how to invest in effective management of the risk.
Luckily, as we mentioned in our last blog, cyber risk experts like Hexegic are on hand to help you figure out how to do this - and some of the clearest advice we’ve found is from the National Cyber Security Centre, who outline 10 key steps to confident cyber security.
The first of these is instigating a clear and robust risk management regime, approached with the same vigour and importance you’d attach to your financial, legal and operational risk management, and embedded across your organisation with buy-in from your temps and interns to your senior leadership and the board.
Pulling together a robust cyber risk regime:
1. The basics: get your head (and your board members’ heads) around what risk management is. We’re talking about uncertain events that would impact upon business. And we’re talking about establishing a cost-effective process for identifying, assessing and controlling your response to such risks. Note that risk management is unlikely to identify all the risks an organisation faces; neither will it terminate all risk. But it’s a darn sight better than nothing.
2. Determine your ‘risk appetite’: just how much risk are you willing to stomach as an organisation? Some people like to live life on the edge and are comfortable with bigger risks; or perhaps the nature of your business itself involves a bit more risk-taking. Others prefer to play it a lot safer. It’s up to you but make sure your appetite is shared by all stakeholders and is suitable for your business and sector.
3. Tick the compliance boxes: most industries will have some level of regulation or standards to be met when it comes to risk management. So it’s obviously essential that have those covered. But a word of warning: a risk management regime that just does the bare minimum as a box-ticking exercise is almost worse than not having one at all: you’ll end up investing ad-hoc in some areas such as writing a policy, but failing to think about other aspects such as training your staff in said policy. Resulting in a false sense of security which won’t stand up if the worst were to happen.
4. Assess your risks: conduct a proper risk assessment to identify, assess and communicate risk. This requires some knowledge of cyber security (for example an awareness of different cyber threats out there), combined with in-depth knowledge of your specific business systems and priorities. Communication between those doing the analysis and others making the business decisions in your organisation must be clear, and the risk assessment must be easily interpreted by decision-makers in their day-to-day work.
5. Take ownership: to get timely and considered cyber risk management decisions going forward, we’d suggest appointing a cyber risk owner within your organisation; either one person for cyber risk generally or a different person for each specific cyber risk. This person(s) should be suitably qualified and experienced, and empowered to make decisions. They don’t need to be a cyber security expert, but do need some basic know-how to understand cyber risk assessment.
6. Take action: once you’ve assessed, it’s time for action. There are several defined options in cyber risk management to get your head around:
- Terminating risk: for complete risk avoidance. For example, deciding that USB sticks pose excessive risk so disabling removeable media across your entire IT estate.
- Treating risk: to reduce severity or likelihood. For example, implementing a policy whereby only USB sticks issued by the organisation are permitted and are scanned upon each use.
- Transferring risk: passing risk elsewhere. For example taking out insurance against a cyber attack. Caution is required here: you should be wary if an insurance company claim they can insure you against all cyber security risk, as this is unlikely.
- Tolerate risk: being willing to live with a risk. This can be the case if the benefits of taking the risk are worth it, or if the costs of preventing the risk end up more than the potential losses. But do make sure that you’re 100% confident that the risk has been accurately assessed and defined.
7. Make cyber risk a priority for the board: make sure they understand how important effective cyber risk management is and get it top of their next agenda. Buy-in from the top is vital.
8. Produce readable risk management policies: don’t just conduct your assessment and make decisions without framing it in writing. Produce clear policy documents to circulate round all members of staff - and make them readable! Junk the jargon, make it engaging and be clear what applies to who and how it affects individual job roles. Hold workshops to talk staff through it, and make sure new starters have a good read as part of their induction.
9. Keep at it: effective cyber security requires continuous monitoring, and improvement to keep up with the rapid rate of tech development and evolution of new cyber threats. Cyber security cannot be magically achieved with a one-off spend; it needs persistent investment – but the good news is the better your cyber risk regime to begin with, the less staggering the investments will be as you go along.