There is no getting away from it; cyber crime is on the increase. From headline-grabbing incidents such as the Sony e-mail hack to the fake invoices which seem to be bedevilling in-boxes on a regular basis the cyber criminals are either out to steal data or to disrupt or deny the functions of organisations.
In fact, according to a PwC report, in 2013 instances of reported cyber-crime globally rose by 48% to 42.8million and initial reports indicate that the trend continued throughout 2014. Little wonder then that, according to PwC’s 18th Global CEO survey, cyber threats allied to the rapid pace of technological change are seen as one of the major challenges facing CEOs in 2015.
The challenge of tackling cyber crime was highlighted recently in a speech given by Andrew Gracie, the Bank of England’s Executive Director Resolution. Although his speech was aimed at the financial services sector Mr Gracie’s comments could equally apply to other sectors. In his speech Mr Gracie highlighted the difficulties of countering a threat which is constantly evolving as technology advances. This requires organisations to have cyber resilience policies and processes which are dynamic, intelligent and adaptive.
Interestingly though, Andrew Gracie also highlighted the way in which cyber resilience should not solely be thought of as purely a technological challenge. Citing the example of an employee who stole data from over 350,000 customer accounts, Mr Gracie emphasised the human dimension to cyber crime and commented that “All parts of an organisation need to understand cyber risk and their responsibilities towards improved cyber hygiene. This includes Board level engagement.”
Put simply, cyber resilience should be seen by boards as a key element within the overall governance and risk management remit. This means that not only should the board take steps to ensure that their IT team are sufficiently aware and resourced to counter cyber attacks, they should also ensure that employees throughout the organisation have been trained and given the tools to be aware of and to be able to counter cyber threats. Such training will vary from sector to sector but may well encompass areas such as risk awareness, e-mail protocol, the need for data security and the safe handling of data removed from premises.
Cyber resilience is not a ‘nice to have’ ambition, nor is it a ‘get around to it if we have time’ element of corporate policy. Rather it should be seen as an essential and integral part of corporate governance. As Andrew Gracie concluded “it is clear the world has changed; cyber is an ever-present threat. Firms need to stand ready to manage this risk.”
If you would like to find out more about corporate governance feel free to browse our website www.elementalcosec.com or contact Nick on info@elementalcosec.com.