07 Apr 2014
Cyber-security and risk management
Risk management email newsletter
With the European Parliament last month approving the text of the proposed "Cyber Security Directive" it is a good time to consider the issue and how it plays into an organisation's overall risk management strategy.
What is cyber security?
Cyber security is a term which is used to cover the security of IT networks and infra-structure. It is a topic of great concern to both governments and industry as the volume of information held in networks increases together with the prevalence of (and potential damage caused by) cyber-crime.
In this context, the European Union has proposed the Network & Information Security (or "Cyber-Security") Directive. Although a version of the Directive has been approved by the European Parliament, it is not yet law nor is the final form of the Directive certain, as it needs to be negotiated with the European Council and Commission. When it does come into force (estimated in mid-2016) the Directive will impose minimum security standards and certain network breach notification obligations to a wide range of public and private organisations including providers of so-called "critical infrastructure services" (such as those in the energy, health, transport and financial services sector). These obligations will significantly add to the existing obligations of organisations under Data Protection and E-Privacy regulations.
Regardless of the legal obligations, organisations have pressing commercial reasons to prepare robust cyber-security defences with consumers and businesses estimated to have lost over £27bn in 2012 through cyber-crime and the cost of remediating an individual cyber-breach estimated in the region of £850,000 for a large company. Likewise, consumer awareness of the issue is increasingly pronounced and companies such as Sony, Target and Tesco all having been on the wrong-end of some negative headlines for cyber-breaches, in recent years.
What can you do?
To mitigate the risk of cyber-breaches whether malicious or otherwise, organisations should consider taking the following steps:
* Increase network security and protection against malware.
* Provide staff training to increase knowledge and awareness.
* Be aware of developments in cyber threats and prepare defences.
* Consider the segregation of data and avoiding placing "all your eggs in one basket" in a network environment.
* Monitor your organisation's exposure and vulnerabilities as technologies and the business develop.
* Have a defined response plan to invoke so as to deal with cyber security breaches quickly and ensure that weaknesses are protected across the organisation.