Concern over cyber threats has hit an all-time high, with a recent survey finding that 79% of organisations now rank cyber risk as a top-five concern.
While concern might be high, this isn’t necessarily translating into action.
PwC’s 2018 Global State of Information Security survey found that only 51% of executives have an accurate inventory of employee and customer personal data.
Which leaves us pondering: are companies doing enough to protect their data?
GDPR has helped to raise the topic of information governance up the agenda for many organisations. It has strengthened the concept of “personal information” in law at the same time as giving the regulator real teeth when it comes to enforcing the regulations.
The UK’s Department for Digital, Media, Culture & Sport found that 30% of businesses and 36% of charities have made changes to their cyber security as a result of GDPR.
Nevertheless, as the threats continue to grow, businesses are still not doing enough – and are continuing to fall victim to cybercrime. The DDMC&S reports 32% of businesses and 22% of charities report having cyber security breaches or attacks during 2018. The figures are much higher among medium businesses (60%), large businesses (61%) and high-income charities (52%). Sadly, many businesses are also not aware that a breach has occurred in the first place.
In the first six months of this year, the MidYear QuickView Data Breach Report 2019 reports, there have been more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion of compromised records.
Unfortunately, too often, cyber security is viewed as an add-on to business as normal rather than an integral part of day-to-day operations. Even with new programmes and initiatives, cyber security is rarely “baked in”. However, it is something that now needs to be considered alongside Health and Safety and HR policies etc.
The 2019 Marsh-Microsoft Global Cyber Risk Perception survey found 77% of its respondents are adopting or have adopted cloud computing, robotics, or artificial intelligence – yet only 36% said they are evaluating cyber risk as part of those transformation projects.
Perhaps this surprising lack of action is explained by some other findings of the same survey.
It found there is declining confidence in people’s own ability to understand and assess cyber risks, preventing cyber threats and responding to and recovering from cyber attacks.
It’s not the fault of the organisation - it’s an ever-changing landscape that requires specialist knowledge. But there is a responsibility to ensure appropriate measures are in place.
The National Cyber Security Centre (NCSC) has issued guidance to help organisations take control of the cyber security agenda.
In 2018, it issued a toolkit of five questions that senior management can ask to ensure that cyber security is being tackled correctly within the organisation. It pointed out that cyber security is now a mainstream business risk and can no longer be deemed to be the sole responsibility of the IT team.
• How do we defend our organisation against phishing attacks?
• What do we do to control the use of our privileged IT accounts?
• How do we ensure that our software and devices are up to date?
• How do we ensure our partners and suppliers protect the information we share with them?
• What authentication methods are used to control access to systems and data?
Ciaran Martin, NCSC Chief Executive said, “There is no such thing as a foolish question in cyber security. The foolish act s walking away without understanding the answer, because that means you don’t understand how you’re handling this core business risk.”
Practical steps to take now to protect your data
The answers to the five NCSC-issued questions will help you to see where the gaps are in your current information governance and cyber security policies and practices.
It is likely that some – or all – of the following activities will need to be part of the response in order to help you to better protect your data.
• Implement some practical anti-phishing awareness training with your staff, such as our human firewall training programme.
• Don’t just leave cyber security to your cloud provider or IT Support company – actively review their policies and procedures before signing and on renewal. Don’t just take their word for it; demand evidence – and make sure the boundaries of where responsibility lies are both clearly and contractually defined and clearly understood by all parties.
• Undertake the Government’s Cyber Essential scheme; don’t allow your organisation to become the low-hanging fruit picked off by hackers. Plus, you’ll increasingly need the certificate for tenders or in order to work with larger organisations.
• Review the NCSC’s 10 steps to cyber security, which include beefing up network security, developing policies for remote and home workers and investing in malware prevention. They are a useful companion to the Cyber Essentials outlined in the government scheme.
• Develop a plan, in conjunction with your MSP if necessary, to audit and manage all updates. It’s a relatively simple way to ensure you don’t leave your organisation vulnerable to attack.
• Have a plan for what to do in a worst-case scenario. Don’t wait until the worst happens before you start thinking about how to respond. If you have procedures in place that just need to be activated, you’ll be able to limit the damage much more effectively, as well as being better able to fulfil your legal responsibilities under GDPR.
• Consider whether you need to invest in cyber insurance. The Marsh survey found that 53% of organisations still don’t have any kind of cyber insurance in place.
Do you need help with any of these steps? The Grant McGregor are always on hand to help or advise – please get in touch if you need support.