There were 2.5 million cyber crimes in the UK last year. The majority of those crimes were various forms of fraud, with the loss typically borne by the financial sector, according to a new report.
The Marsh and TheCityUK Cyber Report urges companies in the financial and professional services industries to take urgent action on cyber risk.
The report shows that companies in these two sectors are particularly vulnerable to cyber attacks, although it seems that some work needs to be done to address the lack of effective cyber security measures:
- Only 30% of large firms list cyber risk as a top ten risk;
- Only 39% have quantified cyber risks;
- 30% have a response plan for data breaches;
- 95% of all cyber incidents involve human error, once again highlighting the crucial role that people and processes play in managing cyber threats.
Organisations that fail to understand the interdependencies between people, processes and technology won’t withstand the ever-growing onslaught of cyber attacks. For example, the deployment of anti-malware software requires skill and has to be managed by a process.
Furthermore, just trying to prevent an attack is no longer a solution. Organisations need to be prepared for rebuffing, responding to, and recovering from a range of possible attacks. This can only be achieved if people, processes and technology are taken into account.
An information security management system that addresses people, processes and technology in a single, cohesive package is the best solution for addressing cyber risks. ISO 27001 takes an integrated approach and covers the three major facets of cyber security, offering a security system which is strategic as well as operational – encompassing people, processes and IT systems.
10-point cyber checklist – report recommends cyber security be monitored against the following checklist:
- Have the main cyber threats been identified and sized?
- Is there an action plan to improve defence and response to cyber threats?
- Are data assets mapped and have actions to secure those assets been clarified?
- Are supplier, customer, employee and infrastructure cyber risks managed?
- Does the company undertake independent testing against a recognised framework?
- Does the risk appetite statement provide control of cyber concentration risk?
- Does the firm’s insurance cover cyber threats and counter-party risk?
- Does the firm have a cyber incident response plan?
- Does the company participate in and share peer reviews of cyber threats and insights?
- Does the board regularly review peer review results of cyber threats and insights?
Let IT Governance help you undertake a cyber risk assessment with an independent, high-level three-day Cyber Health Check that combines on-site consultancy and audit with remote vulnerability assessments and an online staff survey to identify your current cyber risks in the three key exposure areas of people, process and technology.