Ten steps to cyber security
Posted by Trevor Maynard | on Thursday 06 September 2012, 1:13PM
Cyber security is a growing threat in the UK and globally, with estimates that UK businesses lose £21bn a year to cyber crime. To tackle this ever growing global threat, I attended a conference hosted by GCHQ this week which told companies to create a more security-conscious culture and gave practical advice to businesses on how to do so.
The factsheet, 10 steps to Cyber Security, produced by the UK government, gives straightforward advice on protecting your business. Simple things such as setting up policies on removable media (e.g. USB sticks), protecting against external and internal network attacks, establishing staff training programmes to maintain risk awareness and ensuring security patches are maintained continuously are just some of the steps that can be taken.
Loss of intellectual property is a key risk in today’s ‘knowledge-based’ economy - an economy based on the production of ideas, knowledge and information rather than goods and services. Cyber risks are perceived to be particularly acute in a knowledge-based environment and are (arguably) uninsurable due to difficulties with the definition of loss. But despite this, cyber risks are now being insured in what appears to be steadily growing market - with Lloyd’s leading the way.
Lloyd's has highlighted the risks of an increasingly interconnected digital world for some time. Our first emerging risks report, Digital Risks: An ever changing risk landscape, was launched as part of a summit with NATO at Lloyd’s in 2009. It highlighted a wide range of digital risks, from terrorism and crime, mobile device vulnerabilities, cloud computing and GPS failure to the combination of natural and man-made disasters.
We followed this up in 2010 with a report aimed at risk managers: Managing Digital Risk: Trends, issues and implications for business. Here we highlighted the steps risk managers can take to protect their businesses, in particular encouraging strong communication between risk managers and their IT colleagues.
We also stressed how important it was that cyber threats were perceived as a board level issue. This theme continues in the recent government guidance which includes Key questions of CEOs and Boards - examples of what Boards can ask their CIO in order to identify the potential risks.
Digital risks are particularly hard to manage. Tasks are often outsourced, and outsourced again, making network risks hard to track. Smaller subsidiaries are likely to be networked to larger parents and a key theme is that companies are only as strong as their weakest link. Cyber criminals are persistent. Once they have found a weakness they exploit it thoroughly and set up multiple routes of re-entry in case they are discovered.
The Executive Companion to the 10 Steps gives some alarming case studies that will cause any Board to sit up and take these risks very seriously. One includes a major pharmaceutical company that lost £1bn of R&D by having a near-ready product stolen and launched by a foreign competitor. How did this happen? A director opened a fake .pdf (which he thought was from a colleague) allowing the cyber criminals access to their systems.
Risk managers should take a close look at this timely new government advice.