Posted 19 September 2018 By Martin Longmore, Partner
In Cyber Security
As busy Executives, you may be leaving security controls to your own “experts” – but do you really know what they are doing to protect your business?
Our partner Crossword Cybersecurity, advises that they are currently seeing an increasing disconnect between the Executive Board (of companies) and the Cybersecurity professionals who work for them. "Although there has been a significant increase in Boards’ Cybersecurity awareness, we believe they are still not sufficiently knowledgeable about Cybersecurity issues. Our view is supported by a recent survey by Harvey Nash, the recruitment firm, who found that of C-Level execs, 30% or less CEO’s and COO’s are well informed on Cybersecurity issues; and 20% or less CFO’s and CMO’s are well informed. If you are a Board member who wants to increase your knowledge, where do you start?
There is a lot of information out there which can be daunting, but we think that the government’s National Cyber Security Centre’s own guidance is the best starting point. As part of GCHQ, they need to be on top of this subject, therefore their NCSC 10 Steps to Cybersecurity provides excellent guidance for Board Executives. We summarise that list below and include some additional controls which are also important:
- Embedding a strong risk management strategy and process in your business, so that everyone knows how to identify, record, manage, and remove or mitigate risks.
- Ensuring your network, devices, and user privileges are maintained to a high standard, to reduce your vulnerability to malicious attack. This includes curtailing administrative user privileges to only those who need them, and keeping malware protection, anti-virus and application software at the latest security patch levels.
- Providing education to all staff at all levels, so that they understand the importance of safely using data without exposing your business to threats or malicious attack. Such education needs to cover the use of portable devices, such as laptops, mobile devices, and USB devices.
- Implementing incident management to deal with a threat or malicious attack, and testing this regularly, so all staff will know who to contact and by what method when an issue occurs, and how your Security Incident Management team will handle that incident to successful closure.
- Ensuring that your suppliers have adequate cyber controls in place, so that they are not leaving your business vulnerable to attack. You should look at leveraging your commercial relationship to ensure those who fall below the minimum standards improve and you should also look to pass on liabilities to them, should they cause you to be breached.
If you have recently joined an organisation as an Executive, or have been part of an Executive board for a while now, sitting down with your security team and asking them how they are addressing these areas will help you to develop your Cybersecurity awareness."
Crossword Security will be joining us at this year's Bath Digital Festival on Friday 26th October, to provide advice on cyber security. If you complete their free security risk survey before the 23rd October, they should be able to tailor that advice to your specific business.
If that would be helpful to you, please complete the survey here.
We look forward to seeing you at the Festival!
The NCSC's illustration of key cyber security points
To download the above illustration as a PDF, click here.