There has recently been a great deal of guidance issued for business to encourage awareness of data security and threats to information assets posed by cyber risk. We have also set out below ‘seven steps’ to limit cyber risk which we hope is useful.
Ultimately, risk is not confined to IT departments. It is an all-pervasive threat which requires input from a cross-section of stakeholders throughout an organisation. And whilst the looming issue of regulatory fines and compliance remains, businesses need to understand that it is their reputation, significant business interruption and lost revenue, which could be at stake.
“The boards of all companies should consider the vulnerability of their own company to these risks as part of their normal corporate governance – and they should require their key advisers and suppliers to do the same”. Jonathan Evans, Head of MI5, Mansion House speech, June 2012.
As News International recently experienced, serious loss of reputation can be irrecoverable. The phone hacking scandal demonstrates that data security is not just about protecting your own perimeter. It is equally about respecting the privacy of others; and managing your own team as well as your supply chain to do the same.
So, where do you start? Firstly, identify your information assets and ‘attack surface’. What type of information do you hold; for whom; where is it held; how sensitive is it; who has access to it; what measures are in place (if any) to manage this risk?
Secondly, review your insurance. Has your insurance been reviewed and updated to reflect the changing risk landscape? For instance, does it cover loss of data? Do you have or need specialist cyber insurance? Have you checked or do you have a policy on minimum insurance requirements for your suppliers.
Thirdly, ensure the activities of your organisation and your suppliers satisfy data protection or associated regulatory compliance. Are you notified with the Information Commissioner and do you have written contracts with your suppliers requiring them to keep information secure? Have you conducted due diligence before engagement, and periodically throughout their appointment, to ensure that processes are technically and operationally secure.
Fourthly, review your contracts to assess limits of liability, notification requirements in the event of a breach and include a security schedule to set parameters and minimum benchmarks for suppliers and customers (note: security is not just about managing a supplier’s behaviour; security may be determined by a customer’s negligence – e.g. what measures have they put in place to keep their own (wireless) network secure?).
Fifthly, protect your intellectual property (IP), e.g. by registering trade marks, putting in place IP contracts to control how IP assets and considering whether your products may be protected as patents (note: under Patent Box, there may be a substantial tax incentive in registering patents which may give you an additional competitive edge and, at the same time, delight your Finance Director).
Sixthly, allow an agreed security budget and devise and implement an effective, practical data strategy to minimise risk, reduce insurance premiums and maximise the value of your information assets.
Finally, put in place a contingency response plan should a security incident occur. Experts recommend carrying out a mock drill at least twice every year. Consider giving your board media training should they need to issue a press release or attend a press conference in the event of a breach.
Investing in sufficient data security in the future is not a ‘nice to have’. It will be essential for resilience and survival in the rapidly changing, and increasingly hostile, digital landscape.
Courtesy of Thames Valley Business Magazine June 2013