UK businesses need to do more now to protect themselves for the future. Financial losses can be insured and maybe recovered but what about reputational damage? This is far more serious for businesses
It is predicted further high-profile attacks will take place with social media being used to inflict economic and reputational damage to companies.
Here at TU Marketing we thought we’d share some assistance and guidance in helping you put in place precautions which could benefit your organisation or business in having the right strategies in place..
At a recent Institute of Directors meeting attended by Neil, Professor Richard Benham (pioneer of Cyber Security Management, founder of the National MBA in Cyber Security and The National Cyber Awareness Course) hosted the meeting and outlined four key trends that he believes will become ever more important over the coming years – with significant impact for British businesses.
Cyber in the Boardroom
Most businesses depend on technology and the internet for its everyday functions. The levels of electronic information kept by businesses vary from financial, employee, supplier and customer details. Most businesses opting for a paperless policy in view of the environment and the impact of waste means it’s harder to envisage most businesses surviving without real-time access to electronic data in one form or another.
This presents directors of UK companies with an ever evolving set of challenges which require new skillsets and awareness. The corporate landscape is changing at a faster rate than previously predicted and technology advancement is keeping pace.
Traditionally and in the past the responsibility of the IT Director wold be to oversee and take responsibility for the companies computer or IT security. This responsibility has evolved and is now the responsibility of the whole board as definition crosses into various aspects of a business. Many businesses have created new “Chief Information Security Officer” positions where the role of bridging business departments illustrates the evolvement. Smaller businesses unable to budget for new positions have opted for directors to step up. The problem arises that most directors have little time to understand the urgency of a cyber attack and dealing with the aftermath of a cyber attack.
Every board member or business owner has a responsibility to manage its own risk profile and act accordingly. Cyber security is a critical risk and should be treated accordingly. It’s important that directors and owners realise they do not need cyber experts to understand the risk but they do need policies and processes in place to deal with any situation which may arise.
We would strongly advise any business or organisation to carry out an audit on data and classify sensitivity accordingly.
Professor Richard Benham believes many businesses will look to outsource cyber security in the future.
Cyber Education
The UK Government has been proactive and is leading the way on cyber education through the Education and Information Assurance wing of GCHQ (known as CESG (Communications-Electronic Security Group)). A number of universities have established centres of excellence where research into cyber related topics are excelled. GCHQ also provides accreditation to individuals, companies, universities and training provides in the cyber sectors.
At present there is no cyber education for businesses or organisations specifically but 3 courses emerged in 2015.
The National Cyber Awareness Course
This low cost (£295) cyber awareness course covers a basic, non-technical format and is backed by 3 UK universities (launched in August 2015). It is designed for all employees, students and citizens of the UK. The awareness course is designed to raise awareness at work and home.
Cyber Essentials
A Government backed industry-supported scheme to help organisations protect themselves against common cyber attacks. Cyber Essentials offers certification to provide assurance for customers and suppliers. This 1 day Course is slightly more expensive at £395.
David Cameron (UK Prime Minister) was quoted as “…..pleased to show [my] support for the launch of the National Cyber Awareness Course which, following the successful launch of the National MBA in Cyber Security last year, is welcome in increasing cyber knowledge in this digital age….”
The National MBA in Cyber Security
The MBA is designed to specifically look at the management and business issues faced in a digital world. Currently offered at Coventry University Business School. It is understood this course is being adopted by large corporations to train cyber consultants and individuals who wish to be the key digital decision maker within their organisation. This is the first UK degree to be supported by a Prime Minister.
We recommend at least 1 person within any business or organisation to undertake cyber security training.
The Cloud
What is “The Cloud” – it is a storage solution which allows firms and individuals to store data, gain remote access to applications and files and is a third party server space. Files can be accessed from multiple computers ‘on-demand’ through an internet connection. Most businesses enjoy the cheapness of cloud services as it means no dedicated server. Cloud services also enable companies to easily scale up or down their business needs with very little expense and effort.
Despite these advantages there are still some key questions businesses need before outsourcing its data:
Where is data actually stored?
All data is stored somewhere. It is the business directors/owner/senior management team member’s responsibility to know where that somewhere is. Cloud servers could be away where in the world and using a cloud in a different country is common practice. Differing jurisdictions may well have differing legal requirements about data disclosure and businesses need to be aware of this.
Is the cloud provider trusted?
There are lots of cloud providers across the world, it many prove beneficial to ask for the cloud providers insurance details. Larger organisations within the UK have reported using 2 cloud providers. Do background research into cloud providers. Guernsey and the Isle of Man are becoming 2 jurisdictions which have a track record of secure data provisions.
Be aware that the cloud is someone else’s computer – how safe is the provider?
The general public trust cloud providers (thanks to Apple who led the way for personal storage and back-up issues). We would suggest rigorous challenge be applied when seeking cloud storage. Don’t be afraid to challenge your cloud provider to demonstrate their security.
How secure is the cloud provider, have they ever been hacked?
Cloud providers pride their selves on being “digital fortresses” but any organisation using the internet is at risk of being hacked, compromised by staff or neglected. Do some background research before allowing any company to hold your data.
Do they offer 24/7 help desk availability?
We all know that when things go wrong when it’s 4.45pm on a Friday. We would strongly recommend considering a cloud company which offers 24/7 help desk assistance. If a system cannot be restored or rebuilt during a busy time (depending on its services), that is a loss of income and reputation.
What do you expect from a cloud provider in terms of contract?
Moving from cloud provider to cloud provider is impossible and not something which can be undertaken on a regular basis. Most cloud providers insist on long-term contracts. Changing providers can involve incurring the doubling of expense and running parallel system for a short time. The degree of integration and knowledge of a businesses operating system can be considerable on the cloud provider’s behalf. Do your research before deciding on a cloud provider.
How much do I expect to pay for a cloud?
The cyber industry is new, its ever evolving. Like any provider there are always new deals but most providers insist on a long-term contract. Currently most providers are reasonably priced. Consider a cloud provider as a utility company, they expect regular on time payments, most cloud providers run monthly billing.
Cyber Insurance
We have household insurance, car insurance, even boiler breakdown insurance so having Cyber insurance seems to make perfect sense.
All businesses rely on technology, because technology is now subject to so many risks is it not worth insuring against that risk? All businesses rely on networks and contact with third parties. An interruption of service, loss of income, damage to reputation or damage to IT infrastructure should be worrying for any business.
Cyber Liability Insurance Cover (CLIC) has been available for around 10 years, however most of us have never even heard of it or know that it exists. Cyber liability insurance cover is a collective word used to describe a range of covers.
There are both first-party and third-party protection policies available. Cyber insurance is relatively new so it is difficult to predict how and where third-party consequential loss can be predicted or controlled. Loss of reputation is going to be hard to quantify and is unlikely to be covered by insurance policies.
Hiscox a high street insurance company is offering Cyber insurance and it’s believe many other larger insurers will soon follow suit offering policies to individuals and businesses. Just Google “Cyber Insurance” and you’ll be amazed at the amount of companies which offer this type of policy.
Cyber and Data Risks Insurance is designed to protect and support businesses if it experiences a data breach or is the subject to a hack.
Cyber insurance cover can include:
- Data breach/privacy crisis management cover
- Multimedia/Media liability cover
- Extortion liability cover
- Network security liability
As with any insurance, insurers expect businesses to take basic measurements to protect their selves against cybercrime.
We would recommend any business considering Cyber Insurance to carry out some research and to make sure that policy is the right one for their business.