A government report in 2018 found that more than four in ten businesses experienced a cyber attack in the previous year. For larger organisations, it was seven in ten.
This is a problem that cannot be solved by simply throwing money at it. In fact, it’s often the case that organisations are spending too much in this area simply because there’s no top-level oversight, no risk management and no cost benefit analysis has been performed.
The reality is that the situation is probably worse than the statistics show: not just because the number and sophistication of attacks grows on a daily basis, but because many organisations aren’t even aware they are victims. Figures vary considerably but it is typically 180 to 350 days between breach and detection. And as even casual observers of current affairs will be aware, many organisations are reluctant to open up about such failings, often only doing so either years later or when they’ve been exposed.
Many organisations have in the past tried to ‘buy off’ hackers. This is no longer an option under GDPR and the Data Protection Act as the ICO (Information Commissioner’s Office) must be informed of any significant breaches within 72 hours.
And yet, just over a quarter of businesses have a formal policy covering cyber security risks. In the charitable sector, it’s just one in five. Despite the growing threat, there still seems to be a reluctance. Why is that?
- Senior management and board-level executives’ limited knowledge of cyber security means it does not get adequate attention
- It is difficult to forecast the likelihood of a cyber attack succeeding, and the potential losses, thus it is challenging to make a business case to invest in cyber security
- There is no legal obligation to manage this risk (although there are legal consequences for failure), as for example there is with health and safety
- The organisation has not to date suffered a seriously debilitating attack and so is unaware of the havoc that can be wreaked
- There is an assumption that the organisation is probably already adequately protected
So, far too often, either nothing is done or money is spent in an uncoordinated or reactive way. It’s imperative that organisations take a strategic, considered approach to cyber security and don’t see it as purely the responsibility of the IT department to simply keep software up to date.
It is, in every sense, a management responsibility.
To succeed, you need to implement a strong governance structure overseeing efficient and effective management systems.
To learn more about adopting a robust management structure to overcome cyber threat, I recommend reading Managing Corporate Risk in Cyberspace.