The most worrying news about such a large amount of money being lost by UK business as a result of cyber crime, is that it’s not received much wider coverage. Maybe the extent of bad coverage has de-sensitised our customers to a point where this is just to be expected!
The Marathon team took a look behind the headlines, and the research from Grant Thornton points squarely towards the role that executives can play in ensuring that an effective cyber strategy is in place.
The figures above in our diagram speak for themselves and we all know that cyber crime now represents a serious threat for every UK business. According to government figures, two-thirds of mid-market and large businesses experienced at least one breach, or attack in the last year. Despite this, the research found that only one in three mid-market companies take time to review cyber risk and management at board level; or has a board member with specific responsibility. Around six in ten do not have a cyber incident response plan in place.
Every second counts
The impact of a successful cyber-attack goes beyond the costs and reputational damage from business interruption. The senior team will have designated roles in the incident response plan. During serious incidents, the CFO, CIO and General Counsel often have to commit 100% of their time until the crisis is resolved. In addition, the CEO's time is around 50%. Response activity may last for weeks; not days. All at the expense of day-to-day business, as decisions are delayed and plans are put on hold.
So, putting cyber crime onto the board’s agenda is one of the most effective ways to minimise the chances of a successful attack and reduce the financial impact if a breach occurs. Although you have to ask yourself, does the executive who’s given IT security control along with their role on the board, have an impact on how Security is delivered?
The next time you attend a customer meeting, get an understanding of who is responsible for IT security in the boardroom. It might give you a good insight into how they plan to spend; the kind of services they will require; and ultimately, how they will respond when a breach occurs.
A specialist – The CIO or CTO
Companies most frequently choose a Chief Information Officer or Chief Technology Officer, as the person who has overall IT Security responsibility. We have to look behind the title, to see where they came from and to understand their motivations. Although a technology specialism is an advantage; a financial background may favour a better understanding of commercial risk and operations. In the absence of a CIO or CTO, the Chief Financial Officer would actually be a good choice for the role, as financial risk and IT security risk go hand in hand.
Who cares wins?
Business investment has to be a trade-off between operational targets and cyber security risk. Will the board look to avoid interruption to operational systems and delay software patches or application updates; or should maximum security with extended periods of downtime, be the priority? A board member who is neither the COO, CIO or CTO has the benefit of a degree of distance and is perhaps positioned to find a better balance.
Services also represent a great opportunity for resellers to step in as a third party, when the going gets tough. Many companies are now starting to use Cyber insurance to mitigate risks, and these sometimes include services to manage the situation, following a breach. Take a look at Ransomware payments as an example; the fourth most common type of attack in 2018 Almost 70% of respondents agreed that these demands are best handled by expert outsiders, with experience of managing the situation.
Talk to the Marathon team about how to position your services in the boardroom and how our range of security services can help get you one step ahead of the competition.