Introduction
Forming a cyber-risk team is becoming increasingly important as the rate of cyber-attacks on UK businesses continues to rise. It is an essential way to help mitigate the risk of cyber-attacks. Only 13% of CEO’s in the UK are responsible for the cyber risks in their business, meanwhile 90% of CEO’s still neglect it. Having a team will allow businesses to have wider insight as to how to effectively manage their cyber-protocols.
Details
Cyber-risk teams are groups within a business that normally comprises of the CEO and board directors as well as cyber-experts such as CTO’s and CIO’s. They analyse the performance of their cyber-security and the data of the business. The team should discuss recovery plans such as how to restore normal business functionality if an attack was to occur. In addition, the team should analyse if staff are trained and experienced enough to understand and mitigate cyber-risks themselves. Other topics of discussion may include how vulnerabilities are identified, monitoring software being used and how regulatory requirements are being met.
A survey by ComRes showed that only 13% of 200 businesses stated that the managing director is responsible for the team, 9% named the financial director. 52% of businesses delegated responsibility to the CTO’s and CIO’s. These figures show that while businesses do understand the importance of having a cyber-risk committee, CEO’s are not taking enough responsibility to personally evaluate and analyse the potential risks. Furthermore, a government cyber report of FTSE 350 companies stated that only 33% of businesses had a clear understanding of their key information whereas 67% only had an acceptable understanding. This is alarming when considering the increasing rate of being attacked.
The Cyber Security Breaches report showed that the percentages of board members responsible for cyber security differed from the size of each firm:
• 21% for Micro firms
• 37% for Small firms
• 39% for Medium firms
• 49% for Large firms
Overall 51% of UK businesses have tried to identify cyber security risks in various ways such as:
• Internal audit
• Risk assessment covering cyber security risk
• Invested in threat intelligence
• Regular Health checks
Out of all types of businesses, SME’S have taken slightly longer to recover from a cyber-breach. 24% against 14% stated it took a week to recover from their worst breach. Most SME’s are not concerned or taking enough action against cyber-threats, therefore having a cyber-risk team may allow them to identify their vulnerabilities and have better protection for their firm.
Conclusion
Although many businesses have not yet formed a cyber-risk team, the awareness of cyber-risks has largely increased in recent years and it is predicted that most businesses will create an internal group of some nature to maximise their cyber protection. “Boards fully discuss, report and become an expert on accounting policies, health & safety, CSR and executive remuneration, however, this is not the case with a company’s most valuable assets: its data and information. It’s time to take control and be proactive” – Rob Cotton, CEO of NCC Group