Lead by example: cyber security must come from the top
This time last year I wrote that 2016 must be the year that businesses recognise cyber security as a top priority, so it is heartening to see the results from a recent Hanover/Populus poll (Oct 2016) identifying cyber security and hacking as the dominant risk for business leaders within the next 5 years.
But if 2016 was the year that business leaders finally acknowledged the scale of the risk, 2017 must be the year that they do something about it.
Leadership is essential – without it the issue will not get the attention that it requires.
Too often cyber security shoots to the top of a board’s agenda following a high profile cyber-attack, only for it to fall down the list and eventually fall off completely, at least until the next cyber-attack hits the press.
The Government’s Cyber Security Breaches Survey showed that just 51% of businesses have taken action to identify cyber risk, and only 10% have a formal incident management plan – the key to managing and communicating effectively in the wake of an incident.
I hazard a guess that this could be because responsibility at a board level is still uncommon, with just 28% of businesses having cyber security represented. This may mean that boards don’t know where to start when it comes to addressing cyber security. The outcome is that both the strategy and implementation is still commonly being outsourced, leading to a feeling of devolved responsibility with little need to be actively involved.
But I would ask whether any board can devolve the reputational impact of a cyber-attack, when ultimately they will be answerable to the press, customers and investors when something goes wrong.
So what should they do?
The most senior teams within a business must take the lead, and more importantly, be seen to be doing so.
As a starting point, they should read the Government’s 10 Steps: A Board Level Responsibility and consider whether further training and education in this area would be valuable.
This first step will go a long way towards creating a culture within the wider business that views cyber security and data protection as being a core business concern. This will mean moving away from talking about cyber security as being an ‘IT issue’, and instead shaping it as being a compliance issue and business priority. The end result being that employees will instinctively take the issue more seriously which should lead to a significant reduction in instances of human error.
Scenario planning will also identify any weak spots in the processes that a business already has in place. An incident management plan can then be created to reflect the stress-tested protocols that may be needed in the future.
Businesses should also look into how quickly and clearly they would be able to notify the Information Commissioner’s Office (the data regulator) and their customers if they experienced a cyber-attack. Their ability to do this will be a key part of the General Data Protection Regulations (GDPR), which come into force by 25th May 2018.
So put 25th May 2017 in your diary – you will have one year to become GDPR compliant. It is important that you don’t think of this as being just about reputational damage, as failure to comply could mean a fine of 20 million euros or 4% of your total revenue – whichever is greater. Perhaps that figure will focus the mind of your board into making 2017 the year it acts getting cyber security ready.
This month Emma has contributed to Parliament’s Cyber Security Month, presenting on the future of cyber security threats.