How to create an appetite for cyber-security risk management in the organisation

Poor risk appetite remains a problem for companies, yet cyber-security is one area that needs urgent attention says Stuart Reed.

Stuart Reed, senior director at NTT Com Security
Stuart Reed, senior director at NTT Com Security
Lax information security is now seen as the single biggest risk to a business, on a par with competitors stealing market share, and more of a risk than global competition and falling profits.

This is according to the latest 2016 Risk:Value report, which examined the perceptual shift in business risk over the last 12 months. Just nine percent of businesses pointed to poor information security as their biggest risk in 2014 and, in just one year, the figure has doubled. Given the number of high profile breaches in 2015, which saw the theft of confidential customer information, it's hardly surprising to witness this rise.
 
Add this to the potential consequences of a breach, and we see organisations toughening their cyber-risk stance. In fact, when a business suffers from a data breach, there is a very clear and immediate cost – upwards of £1.2 million on average for large UK organisations according to the same research. 

So how can organisations increase their appetite for cyber-security risk management? Simply put, it's about creating a solid information security and risk management policy and communicating it effectively throughout the entire organisation. For it to be effective, though, the policy requires companies to have a deep and broad understanding of the business and the technical systems than underpin it, as well as the jobs that employees do, and how they use these systems to do them. 

A skilled team will analyse what digital assets need protection and what the impact would be to the company in the event it is compromised. Those creating the policy must also identify the most common and likely threats to that data. These may vary by the type of organisation, and by its activities. Retailers tend to worry more about organised cyber- criminals targeting their customers' financial data, with POS systems – often unpatched – a primary intrusion gateway for retailers. Meanwhile, financial services and public sector organisations are more likely to be hit by malware attacks, according to the 2015 Global Threat Intelligence Report.

Once executives understand what must be protected, they can then identify other data points that will help them to create an effective cyber-security policy. They can identify likely intrusion points that attackers could use, and map them against weak points they uncover in their systems. 

Managers can customise their policies to focus on the weak points, but most of them will cover catch-all areas such as data encryption, mobile working, clean desk practices and acceptable usage. They should be signed off by a senior executive to show management support, although that isn't enough.

Executives need to be realistic about their organisations' ability to enforce these policies. All too often, a cyber-security policy is handed out during an employee induction and then stuffed in a drawer and followed by few people. This is where effective communication is important.

Managers need to drive a security mindset throughout the entire organisation. They need to truly understand how employees work, and ensure that security policies don't make their jobs too onerous. Furthermore, there should be awareness initiatives designed to address employees' attitudes and intentions, enabling them to become willing participants.

Researchers at the Oxford University and University College London cite several critical success factors in cyber-security awareness campaigns. These include

  • Looking for actual changes in behaviour rather than simply checking boxes.
  • Constantly reinforcing policy information by delivering it in different formats over time.
  • Using engaging and appropriate materials.
  • Collecting metrics to assess effectiveness (examples might include ‘white hat' phishing campaigns to see how many people open suspicious mails).
  • Using multiple training exercises to cover different threats.
Preparation is everything when managing cyber-risk and increasing an appetite for risk management in the organisation. Executives must start by identifying their organisations' key assets, and gaining an understanding of the threats to them and the impact they would have. This will enable them to design effective practices designed to protect the business, and engage employees intelligently.

Contributed by Stuart Reed, senior director, NTT Com Security

Sign up to our newsletters