The Central Bank of Ireland’s recent call for greater board oversight of IT risk management and cybersecurity was aimed at regulated companies but its message arguably applies more widely.
“The incidence of cyberattack and business interruption is on the increase, and firms should assume they will be successfully targeted,” the Central Bank said in a guidance note this month.
An encouraging development is that more companies are taking the risk seriously. In a survey from Deloitte in July, non-executive directors ranked cybersecurity a higher priority on their agenda for the next 12-24 months than in the previous year – second only to strategy.
“Cybersecurity is definitely getting more time at board level than two or three years ago because organisations recognise the reputational aspect if they have been breached, and there’s more of a focus on financial loss and the impact to the business,” says Colm McDonnell, head of risk advisory at Deloitte.
However, he said many boards struggle to understand what they consider as a technical issue. The fundamental question for boards is to ask what their organisation’s most important information is, where it is stored, who has access to it, and how it is protected.
Then follows the “if we are breached what crisis management and response do we have in place, and how do we minimise the disruption and get our systems back online quickly?” McDonnell says.
A broad sweep of the business can identify weak points which the board can then address.
“Maturity assessments can be really helpful. It’s a systematic top-down look to understand the risks. The outcome will be a series of risks and gaps, and you start to match up your risk appetite and your available budgets in order to prioritise the gaps that need fixing,” says McDonnell.
It’s easy to get sidetracked by reports of the latest threats and new vulnerabilities, but businesses are advised to focus on good security hygiene and specific risks.
“We recommend that instead of looking at hugely sophisticated attack vectors we encourage people to focus on the basics: to know all the technology they have, whether it is all up to date, and to know all the vulnerabilities associated with it, because most vulnerabilities that are exploited are two to four years old,” says David Shaw, security architect with Accenture Ireland.
As well as regulated entities and financial services providers, smaller companies are also paying more attention to cybersecurity.
“The perception among many small to mid-sized companies was that this was an issue for multinationals and large companies, but we’re starting to see ordinary operating companies beginning to be hit by issues such as email accounts being hacked, account details being compromised and criminals using them for fraudulent purposes, and phishing. These attacks are becoming more and more prevalent,” says Darren Daly, partner and head of technology law at Byrne Wallace.
Another reason for SMEs to take security more seriously is that criminals are increasingly targeting them as a first step to attack larger organisations.
One of the world’s largest data breaches, involving the US retailer Target in 2013, came about because attackers stole login credentials from a subcontractor company that provided heating, ventilation and air conditioning services to Target.
“We see an awful lot of attacks which go after the supply chain. If my company has access to the network of a big-name organisation then I’m an obvious way into that organisation because I’m not as well defended,” says David Emm, senior security researcher at Kaspersky Lab.
Smart boards can use heightened public security awareness to their advantage, says Darren Daly.
“Consumers are much more educated about privacy concerns, and clever companies will see this as a marketing opportunity, to be able to say they operate to the gold standard in terms of data privacy.”
If the carrot doesn’t work there’s always the stick. In May 2018, the EU General Data Protection Regulation comes into force. Financial penalties of up to €20 million or 4 per cent of global turnover for non-compliance are driving many businesses to increasing their spending on cybersecurity, says Daly.
“People are much more conscious of the size of the potential fines. You don’t want to be the first privacy officer to sit in front of your board and tell them you didn’t take those regulations seriously. But there’s plenty of time before the date, and with the right advice you can put in place efficient and timely plans to avoid risk of fines or penalties.”