The geo-political landscape continues to change rapidly, driving increased risk relating to cyber security. If your business mindset is that “it won’t happen to us”, the statistics and our experience show otherwise. Risks that traditionally used to be considered as theoretical are now impacting all companies, regardless of the shape or size, propelling the issue of cyber security up the agenda.
The traditional question of “not if, but when?” is increasingly relevant. In a world of emerging cyber risks with state-sponsored attacks becoming more pronounced amid the war in Ukraine and high-profile threats in the UK only serving to heighten the tension being felt amongst businesses in the Midlands. Certain sectors may receive more focus than others, but everyone is at risk of attack, even by association.
Attitudes are changing, awareness is increasing, and more and more businesses are focusing on how prepared they are for a potential attack, as well as the exposures they face.
Cyber security is a hot topic and one that is growing in prominence. It’s hardly surprising, therefore, that investment in this area is growing in tandem with the threats being faced by regional businesses. According to our latest Rethinking the Economy survey of 500 mid-sized businesses, 43% of Midlands companies intend to invest in systems to improve cyber security in the next three years - the number one investment priority for regional businesses. That is a real statement of intent. It also demonstrates how seriously companies are taking cyber security.
Our latest report, Global Risk Landscape 2022 mirrors this sentiment, with 51% of respondents admitting that their business has ramped up cyber security in response to the war in Ukraine - one of the biggest factors affecting the cyber security sector last year. Why? Because companies feel almost twice as unprepared for the impact of cyber security, with 22% of businesses ranking it as their number one priority, the highest score of any risk.
We don’t want to leave you in a state of FUD - Fear, Uncertainly and Doubt. The intention is to create awareness and visibility of the available resources that can drive improvements, resulting in an improved organisational cyber resilience environment.
But what are those emerging risks and how can businesses create suitable barriers to ensure they always remain one step ahead?
Emerging risks and root causes
Across our client base, in the capacity of the audit, advisor or Incident Responder, we see a range of risks that, if they materialise, will result in a cyber-related incident occurring.
We have summarised our insight into three key risks:
|
Risk
|
Root Cause
|
Potential Remediation
|
|
Lack of a cyber strategy - There isn’t a defined cyber security strategy. This would result in a disconnect between the organisation’s risk profile and the cyber control environment.
|
Traditionally within the mid-market, there is a void in terms of the ownership of cyber as a risk. Larger organisations would generally have a CISO or ISO looking after cyber.
|
Perform a Cyber Threat Assessment to understand your organisation’s specific threat landscape and ensure the control environment is aligned to mitigate the risk.
|
|
Unknown/unmanaged third party risk - We see many of our clients suffering from a cyber breach that originated from a major third party. More often than not this is the outsourced IT provider
|
Most organisations either don’t have awareness of the associated risk or don’t adequately assess their third party partners.
|
Develop a simple/effective third party risk management framework that articulates how you identify and classify your critical suppliers to ensure that you assess their control environments.
Try and work with third parties that have strong IT internal controls independently assessed through assurance reports (such a SOC2/ISAE 3000 report)
|
|
No ability to respond to a cyber incident
|
These skills are expensive to have within an organisation and are difficult to retain.
|
Develop an incident response framework that “walks” the organisation through the stages of an incident and develops the muscle memory to enable a measured response to an incident.
Consider taking out an incident response retained with a third party that can assist you with an incident.
|
Proactive steps to protect businesses
“Knowledge itself is power”, as was once said. Being fully armed with the right information and processes and procedures is half the battle when dealing with unknown threats, such as cyber security. The following key questions will help further identify your cyber risk profile and enable appropriate thinking to move your business in the right direction:
- Understand your cyber threat landscape - who will target us? How will they attack us? What are they likely to steal/take/do?
- Understand your current cyber strategy in the context of the previous threat assessment. Does your strategy address the risk identified through the understanding of the threat landscape?
- Assess the business’ current cyber security response to ensure there is a solid risk and control framework in place that protects a business day-to-day
- Develop strategies and plans, implementing controls and solutions (across people, process, and technology)
- Invest in cyber training and awareness across the organisation
- Contract the services of an incident response capability to assist your organisation in the event of a breach
- Assess your major third party partnerships for deficient controls that may impact your organisations control environment
- Look into Government-backed schemes such as the Cyber Essential Plus certification, together with other practice standards and frameworks. These will enable businesses to address the issue and put in place measures to reduce their exposure to cyber attacks.
- Focus on wider awareness in the market - increasingly, questions are being asked by third party suppliers about a company’s preparedness against potential cyber threats and the likely exposure for those organisations outsourcing business to them.
Not every business will need the solid gold cyber security control environment, but every organisation will require a strong foundation. Consider what is appropriate for a business of their size and complexity, and how they can demonstrate they’ve done enough to protect their data.
Original content provided by BDO United Kingdom.
Have questions? Contact us