Cyber security: What a difference the board makes
The cyber threat never stands still, it is always evolving and will always be with us. If your business has not experienced a cyber-attack in the past year, you are in the minority. It is easy for many to believe that they are below the criminals’ radar but, in truth, every business is a target every day, and cyber security is vital.
Preparation and education, through establishing cyber incident response plans and regular staff training, are key components of an effective cyber security strategy, but we have found that putting cyber-crime onto the board’s agenda is one of the most effective ways to minimise the chances of a successful attack. While no business – whatever its size or sector – is immune, mid-market companies are particularly vulnerable and need to focus on managing this growing risk.
While any organisation with a computer and an employee today is vulnerable, mid-market companies are less likely to implement best-in-class cyber security compared to larger companies and are less likely to require their suppliers to do the same. They also have a level of resources that make them an attractive target for criminals looking to extract a ransom, and a network of offices that makes fraud easier.
Grant Thornton’s ‘Cyber-security – the board report’ surveyed c.500 UK mid-market businesses on their approach to cyber risk management. It found that the financial impact of a cyber-attack can be significant, with more than half reporting losses equivalent to 3–10% of revenue following a cyber breach. For those businesses impacted most severely, losses were up to 25% of revenue – a significant sum for any business.
In a highly connected world, reputations built over time can be dashed in minutes when a cyber breach occurs. Dealing with the fall-out from a data breach demands a range of expertise on a scale that most mid-market companies do not have in-house, such as digital forensics (to locate, assess and repair the breach), legal (to advise on regulatory exposure, contractual breach and liability) and PR management (to limit reputational damage).
In the last 12 months, we estimate that the total cost of cyber security breaches to UK mid-market businesses has reached at least £30 billion. Any other scenario with the potential to disrupt operations, damage reputation and generate costs to this degree would be identified and managed as an important business risk. Despite this, most boards don’t seem to pay much attention to cyber security.
Our research found that only one in three mid-market companies review cyber risk and management at board level or have a board member with specific responsibility for cyber security.
Why are so many ignoring this risk? In some cases, it’s because board members are not fully aware of the severity of the threat from the current wave of industrial-scale cyber-crime. This lack of understanding may go hand in hand with the lack of confidence many businesses have in their ability to address the challenge, and there is a temptation for cyber security to be filed as a technical issue and trust someone else is picking it up.
For example, many mid-market companies tend to outsource their IT provision to smaller providers who may also not have the necessary expertise in-house. We have seen this result in a critical disconnect between the level of security an organisation believes they’re receiving and what, in reality, is being provided – leaving them wide open to attack.
We know from experience that board involvement can have a real impact on reducing the likelihood of a successful cyber-attack and in minimising the reputational and financial impact when a successful attack occurs.
Our research found three distinct areas where action by the board is shown to change outcomes for the better – reviewing cyber security risks and management at board level, making cyber security the responsibility of a specific board member and preparing an incident response plan.
In order to counter this growing threat effectively, boards need to understand where their weak points are. Our research revealed that perceived and actual vulnerabilities in mid-market companies don’t always match up.
Over two-thirds told us that they could mount a consistent response across the organisation to a cyber-attack. Yet this requires a comprehensive, up-to-date and regularly rehearsed cyber incident response plan, something only four in ten had in place.
An incident response plan should cover the full lifecycle of a data breach – from discovery, to resumption of business as usual, to lessons learned – and should be rehearsed with a fully simulated cyber-attack twice a year. We found that those companies that have an incident response plan in place experience lower financial and reputational losses in the event of a successful attack than those that don’t.
The role of employees was identified as another key vulnerability for mid-market businesses. Training to raise employee awareness has a hugely positive impact on cyber security, but changing behaviours is difficult and the threat is always evolving. This means training needs to be regular and ongoing. Despite this, more than six in ten businesses told us they had not provided all their people with cyber security training in the last 12 months.
Often, companies make themselves vulnerable to attack simply by failing to get the basics right. To help mid-market boards ensure they are properly prepared to manage their cyber risk, we have identified six key areas of focus:
At a time when business is more connected than ever before, cyber risk management, across people, processes and technology, needs to be a fundamental for every business. Effective cyber-security does not need to cost the earth and goes beyond simply investing in new technology. There are simple, specific steps companies of all sizes can take to put themselves in a much stronger position and ensure they are prepared to take control in the event of a cyber breach.