[BreachExchange] Entrepreneurs must be nimble in the face of cyber risks
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Nov 8 19:27:24 EST 2016
http://www.cityam.com/253224/entrepreneurs-must-nimble-face-cyber-risks
Chancellor Philip Hammond announced last week that, over the next five
years, the government will invest £1.9bn in trying to tackle cyber attacks.
There’s an argument that a sizable chunk of this funding should be directed
towards stopping the problem at source abroad, but for UK-based
entrepreneurs, their fight against cyber crime will necessarily be fought
from their workplace.
Most organisations aren’t adequately prepared for cyber risks that change
daily. Investment in policies, procedures and training is as important as
putting in place the right technology to prevent attacks.
However, from startups to the FTSE 100 – one size doesn’t fit all.
Entrepreneurs should start by identifying what assets are most at risk, how
they are most likely to be compromised and what the most proportionate
solutions are, bearing in mind that cyber security needs to be realistic.
Employees need to download attachments and click on links to do their job.
It is no good trying to implement an outright ban on such activities or
trying to discourage normal user activity. So, a business may wish to
segregate its information, invest in better contracts, train its staff or
hire a full-time security manager.
Whether negligent or malicious, cyber breaches often expose more
fundamental weaknesses within an organisation.
At some point, an employee is bound to leave a laptop on the tube. If a
business is mature in its approach to cyber security, that laptop will be
registered, encrypted and wiped remotely. A business that is not
sophisticated could lose an unencrypted laptop and not know it’s missing
for a week because the employee will be too fearful to report it.
Too many companies don’t have a plan in place for when things go wrong. We
saw this with TalkTalk, which was fined a record £400,000 last month and
reprimanded by the Information Commissioner for failing to implement the
most basic cyber security measures. TalkTalk didn’t know what to say to the
press, the regulator and customers, which magnified the problem. Response
procedures and communications can be considered in advance, so that
customers and the reputation of the company are best protected.
Once you’ve mitigated cyber risks as far as you practically can, businesses
should transfer the remaining financial exposure to an insurer, by putting
a proper cyber insurance policy in place. It’s comparable to dealing with
health and safety risks: identify and mitigate risks, but have general
liability insurance to pay for losses that do arise.
The cyber insurance industry remains small in Europe because insurable
costs are still relatively modest when compared to those in the US. The new
EU General Data Protection Regulation – which will come in before Brexit
and sees the introduction of mandatory notification requirements with fines
calculated at up to 4 per cent of annual worldwide turnover – should change
this.
Reacting quickly to a breach can lead to a better result than is often
expected – in many cases information and money are recoverable. In a cyber
fraud case, criminals can be identified through rapid investigatory work
combined with data analytics, and court orders can be used to raid premises
to recover what has been stolen and freeze bank accounts.
Entrepreneurs need to be nimble and flexible in the fight against cyber
crime. Clearly there are trade-offs when running a profitable business
which seizes the digital opportunity, but also seeks to manage cyber like
any other business risk. The preparation and fight against cyber threats is
a matter of devoting the time and resources to ensure the business is
resilient in defence and proactive in attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161108/2cce89a7/attachment.html>
More information about the BreachExchange
mailing list