06 March 2017
The latest survey of the Governance and Compliance/Core community
As we become ever more dependent on technology, so the potential hazards connected with it increase. Cyber threats are now commonplace and have caused immeasurable embarrassment to compromised companies and to governments and their agencies – think of the revelations from the WikiLeaks debacle and the accusations of state interference by Russia in America’s presidential election.
The Governance and Compliance/Core community shared their concerns on this issue and the answer given to our headline question was ‘yes’ – six in ten respondents replied that they had experienced an increased risk from cyber threats in the preceding 12 months.
One person noted: ‘Cyber crime is one of the fastest-growing crimes in the UK. Our teams here protect our website and internal security with the latest technology, but the cyber crimes change faster than the security technology.’
Among measures mentioned in the fight against cyber threats were regular testing, awareness and security, though if all else failed some respondents pointed out the wisdom of being covered by insurance.
We also asked whether boards are paying adequate attention to cyber risk – most respondents believe they are (72%), with only 14% saying they do not, and a similar number saying ‘maybe’. One respondent commented that ‘the board has recently undertaken its own training in cyber security to be more aware and it has requested the audit and risk committee review and report on the issue at every board.’
One respondent from a listed software company described the precautionary measures they are taking: ‘We need to ensure security of our IP at all times. We are concerned about the risk of our email and other systems being hacked, so we regularly engage external providers to perform checks and tests our systems.’ The respondents continued: ‘We also speak to our employees regularly so they are informed about the kinds of emails they should ignore, and what indicators there may be of the presence of viruses and malware … We regularly receive emails from people purporting to be our chairman asking for bank transfers to be done. We speak to all so they know what sort of indicators to look out for and to always check with the alleged sender without replying.’
The software company was not alone in this. A constant theme was the importance of staff training and the need to continue to strengthen IT security. One respondent said: ‘This includes measures such as obtaining cyber essentials certification, organising wide-ranging training, including data protection, revising the business continuity plan and implementing new rules on taking IT kit out of the country.’
Strengthening the IT infrastructure management was also put forward as a solid way to mitigate risk, with some respondents getting themselves certified to ISO standards. One person said: ‘We have a global cyber security function and we are ISO 27001 certified [a standard of requirements which deals with information security within an organisation]. Management information is reviewed and challenged at every board meeting and cyber security is regularly subjected to internal audit.’ Another said: ‘We have strengthened our information technology infrastructure management and are certified to ISO 27001 and ISO 22301 [which focuses on business continuity management].
When asked if further support in the battle against cyber crime could be offered by government or regulators, one interesting observation was ‘While not wishing to advocate even more regulation in the UK, it is surprising the FCA is not as focused on cyber security as regulators in other jurisdictions such as Ireland and Jersey.’
Conducted in association with The Core Partnership