Policy Monitor

Why cyber security should be on every board’s priority list and the 3 steps needed to stay safe online

While many issues have gained importance due to the pandemic, Nick Denning, CEO, Policy Monitor, explains why no board can afford to let cyber security slip down the priority list.

Cyber-attacks are a constant concern for organisations both large and small, with a study revealing that 68%[1] of business leaders feel their risks are increasing. The pandemic has magnified this as many companies had to respond quickly to lockdown pressures and accelerate digital transformation plans. IT teams had to make rapid changes, moving operations to the cloud and granting remote access so that companies could continue to function and survive. Now it’s time to take stock and assess the cyber security implications of those decisions.

Assessing cyber risk

Board directors have expertise in managing business risk but not necessarily cyber security.  It’s a significant business risk but too easily delegated by the board to technical staff.  You don’t need to be a technical expert to make an informed cyber security decision, but you do need expert insight on the changing threat level.  The popular adage is that there are two types of organisations: those that know they have been attacked, and those that haven’t noticed they have been attacked. 

It’s not really a question of if an attack is going to happen, but when. Organisations need to be able to maintain awareness of the threat, to take mitigation action to minimise the impact and have contingency plans for getting back to normal operations as quickly as possible. The responsibility of the board is to make sure the company leadership has a plan and that employees are equipped and know what to do in the eventuality of an attack. So how can boards become prepared?

Risk oversight

The first step is to carry out a risk assessment. There are a number of freely available online templates on which to base your risk assessment. A great place to start is the government-endorsed Cyber Essentials (CE) scheme.  In parallel it is vital that the organisation understands and documents its “As Is State” in terms of equipment, policies, processes and training so that the associated risks can be assessed.

The Information Assurance for Small and Medium Enterprises Consortium (IASME) web site identifies the top 5 core controls to consider for secure configuration. This includes a cyber security readiness tool which gives an organisation the opportunity to assess its situation against Cyber Essentials (CE). This was designed to help protect organisations from the most common cyber threats and provides a good framework to start establishing a sound cyber defence posture.

Having identified the organisations risks, the board now has to set priorities, direct the necessary action to manage those risks to minimise the potential impacts and ensure people are trained to respond in the event of an attack.

Understand threats and how to mitigate them

The vast majority of attacks are still based upon known techniques which can be defended against. Most cyber crime is financially motivated with criminals looking for a quick pay out. If an attack has worked well, they will keep repeating it. This is why phishing scams remain the most common type of attack that organisations face, with 90% of all data breaches involving phishing[2].

Being Cyber Essentials compliant is said to mitigate 80%[3] of the risks faced by businesses such as phishing, malware infections, social engineering attacks and hacking. It aims to provide businesses with a strong base from which to reduce the risk from this type of cyber threat.

By understanding the critical assets and the threats faced companies can start to assess and prioritise where they need to focus future security investments. Security isn’t fixed by technology alone. For example, investment in educating employees to the most common threats, developing effective processes and ensuring regular reviews is vital. Security isn’t a one-off tick box exercise. The Board of Directors should recognise this and support the organisation in constantly reviewing processes to ensure security keeps pace with business change.

Be prepared – have an incident response plan ready

The eye of the storm is not the moment to be devising a plan on how to respond to a cyber incident. Everyone must have a clear understanding of their role and the organisational

response in advance. The board also needs to be clear about who has authority and responsibility in the face of an incident.

Many companies operate as part of a complex supply chain and are not only responsible for their own security but also that of their business partners. Boards must be prepared to communicate effectively with supply chain partners to ensure efficient incident management.

Having a plan is one thing but it’s important to ensure it is fit for purpose. Periodically rehearsing your response to different scenarios is key to ensuring plans are effective and remain current. This is not only critical for employees but also board members who need to understand their specific area of responsibility during an incident.

Be a tougher target

Cyber security is a business issue, not an IT issue. It is the responsibility of the whole organisation. Boards must set the tone and provide ongoing support to facilitate change and ensure that cyber risk is managed. Taking a methodical approach to cyber security and making relatively small changes can greatly reduce the risk to any organisation.

Preparation is key and this is where Cyber Essentials certification is invaluable. The scheme lays the foundation to developing policies and procedures to mitigate against threats that can impact business operations. Companies can demonstrate their commitment to cyber security by achieving CE certification and should the worst happen, it will help in the ability to respond to a cyber-attack and resume business operations.

Getting started may seem daunting to companies and boards alike but it doesn’t have to be. By acting now companies can get a head start on understanding their risk and lay a solid foundation to maintain business resilience, no matter what comes their way.


[1] Accenture-Cost-of-Cybercrime-Study

[2] https://enterprise.verizon.com/resources/reports/data-breach-digest/

[3] https://www.ncsc.gov.uk/section/products-services/cyber-essentials