Focus on managing cyber risk
Bernard O’Hara, Director in Risk Consulting in KPMG, shares some thoughts on areas of focus for Business Owners and Board members in Northern Ireland in dealing with Cyber Risk.
Recent cyber incidents affecting a number of high profile organisations including the NHS, Talk Talk, and Equifax, have highlighted the vulnerability of large, technology dependent organisations to malicious attacks. Such attacks demonstrate that, even where significant levels of resources are available for cyber defences, no organisation is immune from an attack when a determined criminal is at play. The response to a cyber incident, can be critical in ensuring business continuity and maintaining public trust (whilst protecting the company’s reputation and underlying business), in the event of an attack.
The risk of cyber attack may not seem immediately acute to the typical business owner here in Northern Ireland, however SMEs are increasingly becoming targets for Cyber attackers and there may be significant business disruption, reputational damage and financial loss resulting from an attack. Recent research by Zurich Insurance found that 875,000 SMEs across the UK had been affected by a cyber-attack in the 12 months to July 2017. Over 20% of companies affected estimated that the attacks have cost them more than £10,000, whilst 10% believed the attack had cost them more than £50,000. Data breach or loss is often a consequence of an attack and thus the impending introduction of the General Data Protection Regulation (‘GDPR’) on 25 May 2018 should help to sharpen the focus on the protection of key systems and personal data.
The motivation for cyber attacks may be financial, reputational or purely malicious. KPMG’s most recent CEO Outlook – ‘Disrupt and Grow’, which surveyed CEOs both globally and locally, indicated that Cyber Risk continues to move up the agenda for Company Executives, operating across all sectors and scales – however, the lack of visibility of the issue in corporate risk registers indicates that more focus is required on the pro-active management of cyber risk for local business, here in Northern Ireland.
Alarmingly, of 1,046 SMEs surveyed in the Zurich research, 49% expected to spend no more than £1,000 in the coming year on cyber defences, whilst a further 22% did not have an amount of spend in mind.
This would appear to suggest that, despite the increasing risk of cyber-attack, there does not appear to be a correlating increase in spend on cyber defence for SMEs. This may be because the Board does not believe an attack is likely, or will have a significant impact on their business, or they may see cyber defence as requiring technical solutions, which will likely prove costly.
Whilst it is true that unlimited resources could be spent on technical cyber defences, even this (as noted above) would not guarantee protection. The National Audit Office (‘NAO’) report into the WannaCry ransomware attack (which affected the NHS in 2017, and many other public and private organisations) made it clear that a series of management failings greatly increased the organisation’s vulnerability to Cyber-attack.
From a Board perspective, it is important to de-mystify the concept of “cyber risk,” and how it relates specifically to their organisation. One size will not fit all, however every company, regardless of size, can take steps to help identify and respond to an incident. Expensive technical support, or software based solutions, are only part of the answer and organisations of all sizes can take steps to help identify and respond to the risks posed to their assets from both cyber criminals and non-malicious actions – centred around people, process and technology.
Practical Steps to help support Cyber Resilience
As a starting point, Board members should consider the following areas of focus – a number of steps can be taken with minimal incremental cost, beginning with a cyber focused risk assessment:
- Identify Critical Assets – both key systems and information assets – It is essential to understand what we are trying to protect and make investment decisions on cyber defence based upon the most critical assets.
- Risk Assessment – a risk assessment will help to understand how the threats to our assets are currently managed and identify / prioritise further mitigating actions, whilst ensuring ongoing focus on the issue at Board level. For key systems and information assets, consider the arrangements in place over access; backup ; technical support ; business continuity and protection against attack. Consider who might be interested in disrupting these systems, or stealing your data. An informed risk assessment will help build effective defences.
- Incident response - consider how critical identified key systems are to your business and, in the event of an attack or disruption, how quickly you would seek to restore them – critical systems should be prioritised. Develop (and test) an incident response plan, which can be enacted in the event of an attack. This will help to ensure that the appropriate personnel (within the organisation and outsourced technical support) are quickly engaged, and that priority is given to isolation (and restoration) of key systems.
- Review your own General IT Control environment – from maintaining up to date policies and procedures ; through to regularly reviewing access and user rights to the network and key applications. Consider limiting the use of removable media – all laptops and removable media should be encrypted and regularly scanned for malware.
- Staff awareness - staff are a critical element of cyber defence, particularly in relation to attempts at cyber fraud or theft, phishing, data theft or corruption or transmitting malware. Ensure they understand corporate policies covering acceptable and secure use of IT equipment. Encourage them to think twice before opening an unsolicited email attachment, or acting upon unusual requests (even if they appear to be from senior management).
- Network security – seek support from IT specialists to ensure robust network access protocols (including user / device authentication) and defence, such as firewall, antivirus and anti-malware. All systems and networks should be continuously monitored for unusual activity or attempted / actual attacks.
- System updates and security patches – ensure that system software updates and security patches are processed as they become available. These are often issued by software providers to address known vulnerabilities or threats. Cyber attackers often exploit known system vulnerabilities, timely application of system updates is essential.
- Data management – cyber attacks often target company data, either to corrupt it, steal it, or demand a ransom. The General Data Protection Regulation (‘GDPR’) will heighten the importance of robust data management and place a significant additional burden on companies in relation to any personal data they hold. All companies should take stock of their data management policies, procedures and processes (and indeed, only hold essential data), and reinforce controls to ensure secure data storage.
- Use of cloud based services – many companies are choosing to outsource their systems and data to third parties. Whilst this has many potential benefits, care should be taken to obtain assurance from third party providers (with their obligations being embedded within contracts), particularly with regard to business continuity, security of systems and data, and timely reporting of any attempted security attacks.
The threat from cyber attack is a real one and should be addressed proactively by all organisations reliant on IT systems. SMEs are not immune. Be ready and able for the challenge – it could come sooner than you think.