Out-Law News | 12 May 2016 | 5:10 pm | 3 min. read
Will Brandon said, though, that it is up to individual firms to work out how serious cyber risks are relative to other risks they face and the steps they need to take manage those risks.
However, he said that cyber risk should not be left to IT teams to manage on their own.
"The first thing is to get away from the perception that cyber is just a technology problem that can be solved entirely through engineering solutions," Brandon said in a speech in London (5-page / 52KB PDF) earlier this week. "There is a tendency for boards to look at it, fear that it’s too technical to understand, and then delegate the whole issue to technologists – who duly deliver some technological fixes. The trouble with that is that most cyber-attacks are not exclusively – or even mainly – technical in nature. People and processes are every bit as important."
"This is because attackers tend to exploit the credulity or laxity of their targets to achieve their ends. And while some can and do develop highly technical attacks, for the most part these are facilitated in some way by people or process weaknesses in their victims’ defences," he said.
Brandon suggested firms might wish to apply a system of oversight that provides "a formal means for the business to assess and manage risk". He said that firms could also consider making it a requirement for managers to "take ownership of information security risk as they would any other".
Firms should try to quantify the cyber risk they face through mechanisms like assessments or testing, but might first identify the potential threats posed by attackers, their own vulnerabilities and the assets they need to protect.
"Assets are the systems or information which underpin your critical business processes," Brandon said. "You need to know what they are, and have a clear view on the impact on your business if the confidentiality, integrity or availability of those assets is compromised. Successful attacks may have a range of consequences, including financial loss, loss of customers, loss of confidence in firms or markets."
"You should also be clear that the owners of those information assets are the owners of the business processes they support: they own the risk. Not the CIO, not the CISO: it is the owner of the business process who should be accountable. If you have that view of the components, you then have some way of assessing the likelihood and impact of the risk crystallising. And you will a have good idea of what controls you might need to apply to reduce vulnerabilities or to mitigate impacts," he said.
Armed with this information, together with details of the financial and business cost of implementing controls to limit exposure to risk, should give firms "a way forward in balancing risks", he said.
Brandon's comments earlier this week preceded an announcement by internet service provider (ISP) TalkTalk that its pre-tax profits had more than halved in the past year from £32 million to £14m. TalkTalk suffered a major data breach affecting 157,000 of its customers following "a significant and sustained" cyber attack.
"TalkTalk's results are a stark reminder of the potential severity of the adverse consequences of a cyber attack on a business," data protection law and cyber risk expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said. "The financial and reputational impacts can be real and long-lasting. Business leaders should be looking at the events that have unfolded and asking themselves 'What if this were my organisation? Am I prepared?'."
In a sign of the increasing recognition businesses are giving to the importance of being prepared for cyber attacks, the British Insurance Brokers’ Association (BIBA) has said it will establish a dedicated "technical group" on cyber issues.
Steve White, BIBA chief executive, said in a speech (12-page / 84KB PDF) at the association's conference in Manchester that the group would help "improve recognition of the value, awareness and take up of cyber insurance protection" and identify ways "to build resilience, including protection against cyber business interruption and cyber crime risks". The group will be made up of technical experts from firms that are members of BIBA, he said.