Cyber risk is everyone’s business

Date: 15-11-2018

 

Technology is woven into every aspect of our lives from being able to control the heating in your home to managing your tax return. Simultaneously the threat and also impact of a successful cyber-attack have exponentially grown due to our increasing reliance on computer systems. Managing cyber risk is no longer an issue for the IT department in isolation, its potential to cause operational, reputational, financial, legal and regulatory impacts means it’s everyone’s business.

How does cyber-risk differ from other business risks?

Many people still plan for a cyber-attack in terms of traditional disaster planning. However, unlike when a natural disaster occurs which may affect just one location, a cyber-attack can instantly propagate through the network to compromise all systems and data including those found in disaster recovery sites. Additionally to cope with the financial impacts of a fire or flood a business will normally have insurance in place, yet only 14% of SMEs in the UK have cyber insurance1.

Often conventional protections against physical disasters like loss of power, don’t work in the case of a cyber-attack. With traditional disasters you are dealing with a passive adversary, the risk is better understood and the threat is not likely to deviate. However with cyber-attacks, you are frequently dealing with an active adversary. For example, if a hacker gains control of a network, the threat may change and escalate as the attack progresses and new risks not previously identified emerge. Many businesses’ crisis planning hasn't evolved to consider the dynamic nature of cyber, nor the financial response.

An attack on critical systems

There’s also a lack of awareness of how critical IT systems have become to business. Whether large or small, for example, most office telephone systems are computer based, so organisations need to consider how they would communicate with colleagues, customers or suppliers in the event of an attack. As we increase our dependence on digital infrastructures and the internet, the impact when something goes wrong becomes more dramatic and far-reaching. For example how would you pay your staff if you do not have access to salary details and payment systems? And how long would they stay loyal without remuneration?

A strategic imperative

Cyber-security is not just a risk to be considered, however. Business strategy needs to take into account the cyber-threat because your overall threat profile can be controlled and to an extent is determined by the type of business you run, your customers and supplier base.

Where should responsibility lie for cyber risk?

Accountability for taking the threat seriously, understanding the potential impact of an attack, and creating a response and recovery plan, lies with senior management or the Board. The challenge for businesses is that the issue of cyber risk is no longer confined to the IT department or the domain of the Chief Information Security Officer. As we have seen, the threat cyber-attacks pose span across an organisation, so responsibility to prepare, respond and recover from a cyber-attack sits at a departmental and individual level.

As well as operational and financial planning, businesses need organisational resilience, which filters down from the top of an organisation but sees different individuals sharing responsibility within their disciplines.

If you leave the cyber challenge solely with the Chief Information Security Officer, they won’t necessarily have the skills and knowledge to advise what needs to be implemented in other parts of the business. For example in the finance department how would you manage the impacts on your short term liquidity and access to cash? Does the business have appropriate financial plans in place to cope with a cyber-attack?

Whilst there may be one person on the Board with overall accountability, the challenge is to get the right skills and information to every part of the business so cyber considerations are woven into everyday operations. Planning on that basis demonstrates a clear understanding of the risk and puts you in a better position to manage it.

1https://www.insurancebusinessmag.com/uk/news/cyber/only-14-of-british-smes-have-cyber-insurance--study-63628.aspx

Fraud prevention

Find out how you can protect your business from fraud.

Visit our Fraud Hub

Cyber risk

You can read other articles and view videos on cyber risk.

Visit our Cyber Hub
Back to top

Important legal information

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Lloyds Bank plc Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone: 0207 626 1500.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under Registration Number 119278.

Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.

Lloyds Banking Group includes companies using brands including Lloyds Bank, Halifax and Bank of Scotland and their associated companies. More information on Lloyds Banking Group can be found at www.lloydsbankinggroup.com (opens in new window)