Why cyber security should be at the top of your priority list
By George Ralph (pictured), RFA – Cyber security has never been as important as it is today. The Cyber Security Breaches Survey 2017, published recently by the Department for Culture, Media and Sport and undertaken by Ipsos Mori highlights some statistics that should make even the most jaded CIOs sit up and take notice.
Of the 1500+ businesses surveyed, 74 per cent say cyber security is a very high priority for their senior management, and 67 per cent have spent money on cyber security in some shape or form in the past year. For medium sized businesses, the number of organisations which have spent money rises to 87 per cent and for large businesses it is at 91 per cent. The biggest reason cited for this spend is to protect customer data, so say 51 per cent of respondents. But in contrast, only 33 per cent have a formal policy that covers cybersecurity risks, or documents these in a business continuity plan, audit or risk register. Only 11 per cent have a cyber security incident management plan in place. It seems like the fear of attack has induced spend, but hasn’t extended to policies and procedures that could reduce the threat of attack, or ensure attacks were dealt with more effectively.
When firms do invest in cybersecurity, many of those will formally evaluate the effectiveness of their spending, undertaking activities like monitoring levels of regulatory compliance, seeking senior management feedback and measuring staff awareness. Most cite the reasons for this being to justify future spend and to explain the impact to the board and wider staff.
There are some interesting results, for example, 19 per cent say that they are worried about their suppliers’ cyber security, but only 13 per cent require suppliers to adhere to specific cyber security standards or best practice. Again, the fears don’t seem to be translating into appropriate policies and procedures.
The report also shows that cyber security breaches or attacks are fairly common, with 46 per cent overall identifying at least one breach or attack in the past year. This rose to 66 per cent and 68 per cent for medium and large firms respectively.
The most common type of attack or breach came from staff receiving a fraudulent email, followed by viruses, spyware and malware, the identity fraud and ransomware.
It’s clear that technology alone can’t eradicate cybercrime and that with most attacks coming via staff, and being facilitated by human behaviour, some robust policies and procedures are needed.
What’s really interesting is that without investing much more in technology, many organisations could prepare themselves better for cyber attack simply by making some changes to the way staff work, and by infiltrating the organisation’s culture with one of cyber security awareness. There are templates and guides available for organisations which want to implement a written Incident Response Plan, plus sample cybersecurity policies, which can easily be replicated. Then it’s just a case of embedding new behaviours into employee culture with regular training. In this survey, 20 per cent of businesses had staff attending internal or external cyber security training in the last 12 months. Put another way, that’s 80 per cent of businesses that didn’t, which is worrying.