Only 45% of UK businesses have a cyber security strategy in place, according to a recent survey from the Institute of Directors (IoD) and Barclays.
Much of the study focuses on the lack of investment into staff training, but what is particularly concerning is the question of how qualified senior staff are to prepare for and respond to cyber security threats.
One of the major issues facing senior staff will be how to implement a strategy to ensure their business complies with the EU General Data Protection Regulation (GDPR), which will take effect on 25 May 2018.
Directors and board members
As we wrote last week, company directors generally do not have the same understanding of their company’s cyber security defences as the IT security department. Too often, the IT department relies on FUD (fear, uncertainty, doubt) to get directors’ attention.
This practice, although common in a lot of places, can be dangerous. If it’s used too heavily, the company’s directors could get ‘FUD fatigue’ – leaving them without a clear understanding of the reputational and financial impacts of cyber attacks.
If directors and board members are to take cyber security seriously, they must take a more active interest in the security risks to their organisation. This will prevent ‘FUD fatigue’ and help them develop guidelines on appropriate good practice.
Moreover, senior staff are just as vulnerable to cyber attacks as anyone else in the company.
“From the boardroom downwards in any business, your employees and your business remain susceptible to cyber or data attacks,” writes Angela Edwards, CEO of The Cyber Club, who is cited in the study.
Just last month, it emerged that senior employees at two US tech giants had been duped out of $100 million by a ‘whaling attack’, a form of phishing that targets high-ranking employees.
A similar attack last year led to an Austrian aircraft parts manufacturer losing €41 million (approximately £35 million) and their CEO getting sacked.
To mitigate threats such as these, Edwards advises businesses to provide “consistent and enduring cyber awareness training” to create “a culture of personal responsibility in which your directors and employees become your first line of defence”.
Enrol in training
Senior managers who want to improve their awareness of cyber security issues should consider enrolling on IT Governance’s Managing Cyber Security Risk Training Course.
The three-day course builds on foundation-level knowledge of information security management practices to equip practitioners with the expertise to manage cyber security risk and meet compliance objectives in organisations of any size.