How to Manage Corporate Risk in Cyberspace

Tom Martin-Ball, ISOQAR’s Information Security Sector Manager, considers how you can enhance cyber security with management standards.

Share this story

Written by: alcumus
18th February

As more and more devices become connected to the ‘Internet of Things’ and we take instant connection to cyberspace for granted, the more we expose our organisations to attack.
And the risk is very real. Four out of ten businesses suffer an attack each year, rising to 6 out of 10 for larger businesses. recent statistics show that 11% of businesses that reported an attack said it cost them more than £50,000.
Yet far too few organisations have adequate defences.
It’s easy to see why criminals are attracted to this arena: it’s hard to police, the chances of getting caught are low - as are the penalties - and the prizes are potentially vast. Many hackers enjoy it for the sheer devilment.
So what can you do about it, and why aren’t more organisations taking it seriously?

Download the ‘Managing Corporate Risk in Cyberspace' whitepaper

The General Data Protection Regulations (GDPR) caused many to sit up and establish policies regarding the collection and storage of personal data. But for the most part the scope of those policies has not extended to cover the wider challenge of cyber security.
The government’s Cyber Essentials (and Cyber Essentials Plus) certification scheme, which encourages self-help for organisations to implement basic technical controls, is a good starting point but has its limitations and has seen low take up. 
The reality is that the number and seriousness of attacks could be reduced if senior management gave higher priority to this issue.  
The National Cyber Security Centre’s 10 Steps to Cyber Security guidance places ‘Risk Management Regime’ at number 1 and identifies this as a board level responsibility.

It’s essential that the same level of rigour is applied to assessing cyber risks as to any other aspect of the business. They NCSC says that this can be achieved by “embedding an appropriate risk management regime across the organisation, which is actively supported by the board, senior managers and an empowered governance structure”.
Conversely, it is important that the board balances risk against opportunity, and this can only be achieved at a strategic level. Risk decisions taken within a dedicated security function, rather than organisationally, may focus solely on achieving high levels of security. This may result in an overly cautious approach to risk, leading to missed business opportunities or additional cost.
By far the best way of taking control of cyber security is through the use of management systems. The holy trinity when it comes to cyber security includes:

ISO 27001 - Information Security Management

ISO 22301 - Business Continuity

ISO 20000 - IT Service Management

These three standards help ensure that at strategic and operational levels you have systems in place to protect your organisation against attack, limit any damage and get back up and running as swiftly as possible.
Learn more about the role of certified management systems in cyber security by downloading our whitepaper Managing Corporate Risk in Cyberspace