In our Hiscox Cyber Readiness Report 2017 we found the close involvement of top management is one of the key six steps for businesses to take when developing an effective cyber security strategy. An easy win you would think when it comes to shoring up cyber defences but worryingly, 45% of businesses we interviewed for our research said that wasn’t the case.
You only have to look at Talk Talk’s CEO Dido Harding who, in the wake of the huge data breach the business suffered in 2015, has openly admitted that – despite thinking to the contrary – the business and by implication herself, hadn’t been taking cyber security seriously enough.
From the IT team to the boardroom
Moving the ultimate responsibility for cyber security from the IT department to the boardroom is a process we’ve been undergoing at Hiscox for some time and the decision by our Group CFO to chair our regular cyber security meetings probably represents the culmination of that move.
But it goes much further than that. For a start, all the sensitive client data we control within the Group – such as personal information and insurance policy details – is owned not by the IT team, but by each relevant chief operating officer. As a management team we also all attend training sessions and cyber security workshops – the last one was labelled ‘Game of Threats’. Not quite as entertaining as the TV show it riffs its name from perhaps, but just as eye opening!
Of course, senior management involvement doesn’t end the need to keep one step ahead in terms of the technology we use to keep our systems secure. For instance all the electronic data that leaves Hiscox is monitored by an external company who look at the destination of each piece of data and match the recipients with any ‘known threat actors’ – that’s cyber speak for criminals. We have also obtained the Government’s Cyber Essentials accreditation and will be looking to achieve Cyber Essentials Plus, when our systems have been tested by an external certifying body.
Beware the Trojan Horse
I’ve been struck though – the more involved I have become in the cyber security process – at how you can use all the best technology that’s out there but the greatest weakness comes down to human error – all it takes is one employee mistake to inadvertently let the cyber Trojan Horse gallop through the gates.
Over the last year, we have introduced compulsory online cyber security training. Plus every employee is tested at least once a quarter by a phishing email. These fake emails are designed to look as plausible as possible, such as an email from our internal IT security team for example or an invite to a staff Christmas party, while tempting an employee to click on a link or send personal details. If the employee gets hooked by one of these they then get redirected to a website where they have to complete an online assignment to help them understand where they went wrong. Management lingo calls it taking advantage of a ‘teachable moment’ – I’d call it a good time for a lesson learnt.
Terrifying but reassuring
We’re being challenged all the time by both the regulators – new regulations such as the EU’s General Data Protection Regulation (GDPR) will demand obligatory notification of a data breach for example – and the cyber criminals to raise our game when it comes to cyber security.
That said, our biggest motivation will always be the protection of our clients’ data and preventing them from suffering the consequences of a successful hack of our systems. And if we get it wrong I know the buck stops here, with me. A terrifying thought maybe which is why I’d prefer to be involved in helping to prevent a cyber-attack through the development of a robust cyber security strategy, rather than only being called on to deal with the reputational and financial fallout from a successful hack.
Read our Hiscox Cyber Readiness Report 2017 to see how ready your small business is to face cyber threats.
You can also find the latest reports on the cyber readiness of UK businesses from Hiscox here; get an up-to-the-minute picture of the risks facing SMEs and the best practice preventative measures.