Boards have a key role to play in ensuring an effective cyber strategy is in place. By asking the right questions about cyber risk, they can help to dramatically minimise the financial and reputational impact of a successful attack.
If your business has not suffered a cyber attack or data breach over the past year, it’s in the minority. Two-thirds of mid-market businesses have experienced an attack, suggesting that – for those that haven’t – it’s only a matter of time.
The impact of a successful attack is severe. Our recent research discovered more than half of mid-market companies reported losses equivalent to between 3% and 10% of revenue following a cyber breach. For the businesses impacted most severely, losses were up to 25% of revenue.
There’s no denying that cyber risk is now a serious business risk for every company.
A successful attack has long-term implications beyond immediate business disruption. The organisation’s senior team typically commit days and often weeks of their time to dealing with the fall-out from an event. As a result, business decisions are delayed and plans are put on hold. The impact often spreads from the event itself, with employees losing confidence in the leadership team and pride in the organisation. Clients and suppliers can start to question whether they can continue to trust the organisation with their data and business.
Given this, it’s difficult to understand why so few boards fail to review cyber risk management formally. More than six in ten boards in mid-market organisations don’t do this. Yet our research shows that in companies where a formal, board-level review takes place, financial losses in the event of a successful attack are lower.
How to ask the right questions
Boards may worry about not understanding the complex, technical issues that shape cyber risk management. But you don’t need to be a technical specialist to make a difference. You just need to know the right questions to ask, although cyber attacks use technology as a conduit a lot of the risk still comes down to people.
Cyber security: the board report includes over 20 questions board members should be asking to ensure cyber risk is being managed effectively – just as they would probe arrangements for managing any significant business risk.
The five key areas where boards need to dig deeper:
1 Incident response plan
Does your organisation have one? Companies with an incident response plan in place experience lower losses in the event of a successful attack than those that don’t. Despite this, almost six in ten mid-market organisations don’t have a cyber incident response plan in place.
2 Regular rehearsals
Your organisation almost certainly runs fire-drills so that everyone knows exactly what to do in the event of a fire. But when did your business last rehearse the cyber incident response plan? Minutes, even seconds, count when a cyber attack or data breach occurs. Having employees who know what to do (and what not to do) as soon as an incident is detected will limit the damage significantly.
3 Supply chain
In our research, over one third of respondents confessed that partners in their supply or value chain had weaker cyber defences than the organisation itself. These weaker defences expose the whole organisation to serious risk. Ask who has access to your organisation’s systems and where this information is recorded. What controls are your suppliers/partners required to have in place?
4 Cyber insurance
Cyber security insurance can go a long way to providing reassurance that the majority of the cost of an attack is covered. However, in many cases companies could be investing less than the deductibles in these policies to significantly reduce the risk of having to call on them in the first place. Equally, for policies to be valid, information provided on your defences and potential losses needs to be accurate and complete. Has your business got this right?
5 Staff training
People are an essential component of an effective cyber security strategy. As a result, implementing effective training to raise employee awareness can have a hugely positive impact on cyber security. But changing behaviours is difficult and the cyber threat is always evolving, so training needs to be engaging, regular and ongoing. When did your organisation last run training for employees and how are you measuring its effectiveness?