On 20 January this year, The Times reported the Top 10 Business Risks as:
- Cyber Liability
- Supply Chain
- HR-Related Risk
- Intellectual Property Theft
- Climate Change
- Catastrophe Risk
- Political Risk
- Mass Migration & Social Upheaval
- Internet of Things
I was heartened to see Cyber Liability included in this list and considered alongside general business risks. That’s its rightful place. The risks associated with cyber are intertwined with other business risk and therefore should not be considered separately or differently.
Let’s take a closer look at that list and see just how much Cyber is intertwined:
Reputation – a good reputation can be lost in a second. What would you think of a company that lost its customer records? Would you want to trust them with yours? So when considering reputation in the modern world, you don’t just need to consider your good service standards, slick processes etc. But what would a cyber attack do to my reputation?
Supply Chain – OK they provide you with a great service and a good price, but do they care as much about their cyber risk as you? If not they could become a weak link in your defences. So in assessing your supply chain now you need to consider how they manage their cyber risk.
Intellectual Property Theft – If you have valuable Intellectual Property, consider how you will protect it. Think. It is probably easier and cheaper to attempt to steal it through a cyber attack than any other way.
Internet of Things – Who really knows what affects this will have on business in the future. We can be certain it will though.
As you can see, the 5 are closely linked, reinforcing the message that Cyber Risk cannot be considered standalone.
In the article a lot of reference was made to risk transfer, in layman’s terms insurance, but I pose the question: Is insurance going to cover everything? Surely all policies will require the insured to have taken reasonable steps to have prevented an attack. Taking a non-IT related example: I have car insurance for accident and theft. If I leave my car with the keys in and it is stolen the insurance will not pay out. They claim, probably quite rightly, that I haven’t taken reasonable steps to secure the vehicle. So, if I have cyber insurance and I’m running out of date software with known issues and experience a cyber attack, will the insurance companies view that I didn’t take reasonable steps to secure my systems? So I would recommend that before considering the transfer option, all companies look at doing what they can to reduce the cyber risk. Cyber Essentials is a great start and for those wanting a bit more, The 10 Steps to Cyber Security is the next step.