Cyber security awareness month: Why cyber risk management?

To mark cyber security awareness month this October, Lindsay Hill, CEO of cyber security company Mitigo, has written a blog discussing cyber risk management, from the importance of operational resilience to why security is not a one off MOT.

Managing cyber risk is a complex ever-evolving field, with numerous interconnected elements that must be considered to ensure comprehensive protection. Like pieces of a jigsaw puzzle, each component - from risk assessment to governance - must fit together seamlessly to create a robust defence. To combat the advanced threat landscape, chambers need a proactive, well-coordinated strategy that leaves no pieces missing in their defences.

It’s a board level matter

The stakes are high. Cyber risk should have the same prominence as serious financial or legal risks, and responsibility and ownership of cyber resilience is a board level matter. Governance must include proper management information which is discussed by the senior leadership team at regular intervals.

Recognise the threat

You must understand the modern criminal ecosystem. Sophisticated and professionally organised gangs act with almost infinite geographical reach and frightening speed of execution. The returns are high and the chances of arrest are almost zero. Ransomware gangs develop and sell malicious software as a service to affiliates on the dark web, host data leak sites and manage ransom negotiations. Initial access brokers act as access lead generators. Attack techniques continue to evolve and so must your defences.

Cyber risk management is different to IT

Your IT people may be brilliant at their job. But assuming they are also cyber security experts with the up to date knowledge and experience to be responsible for advising on and implementing proper cyber risk management is the most basic error which can turn out to be fatal. That simply will not cut it, and it is the reason why so many businesses suffer a cyber breach.

It’s not all about tech

The security and configuration of your technology is of course a big part of risk management. But there is much more involved in keeping safe. Your risk assessments come first. People and the activities they undertake are important. Provide training. Test it with simulated attacks. Governances should include the right policies and procedures for your business, with an ongoing programme to evaluate the measures in place. Security is not a one off MOT – it is a continuous process.

Operational resilience

The protection of confidential proprietary and client data is of crucial importance. But a lack of operational resilience can be more devastating. Few businesses recover from a successful ransomware attack within a few days, most remain crippled for weeks or months, wrecking their financial position. Few backups are correctly configured to survive an attack. Incident response and disaster recovery planning and rehearsal is needed so that the business can continue to provide services and function.

Comply with the law

Data protection legislation requirements include regular written risk assessments to enable clear visibility of risks and vulnerabilities relevant to the security of personal data; the determination and implementation of technical and organisational measures appropriate to control those risks (which must include people training, technical security and a governance regime); and the implementation of a process for regularly testing, assessing and evaluating the effectiveness of the measures you have in place. To understand just how widely the Information Commissioner's Office (ICO) interpret legal obligations, take a look at the cases of Tuckers (ICO fine £98,000) and Interserve (ICO fine £4.4m).

Regulatory compliance

All regulators of professional service businesses expect compliance with the law, as well as adherence to separate regulatory responsibilities including the duty to report breaches. Such obligations are not limited to personal data. In the case of a breach, expect the ICO to scrutinise amongst other things, the Bar Standards Board Handbook.

Supply chain management

It’s not just about you. You must consider your connected supply chain and how a breach could affect you or them. Who has access to your data or systems. Which organisations do you share them with. What are your critical supplier dependencies and what is your plan B if they go down. What checks and due diligence do you undertake to understand their security standards and back up arrangements, and do you have too many eggs in one basket.

The importance of independent assurance

Information that is business critical needs to be reliable. Good governance must include independent assurance carried out by genuine cyber security specialists with in-depth knowledge of the latest security risks and experience of the attacks taking place in your sector. They must be independent of your IT provider, because having your IT mark their own homework is a nonstarter from a risk management perspective. Your assurance should be in writing and intelligible to those who are not experts in cyber risk management, including those responsible at senior level for managing the big risks in your business.

The role of certifications

A variety of certifications are available. Cyber Essentials Plus and ISO 27001 are best known, and can be useful as part of the risk management journey. They are sometimes necessary for contract compliance purposes and can be helpful for marketing. But it would be quite wrong to assume they provide proper cyber security. So reliance on either is misplaced.

The role of insurance - not a substitute for risk management

Insurance may be part of your risk management plan, but recognise its limitations - it is no more than the transfer of residual risk once you have taken the right steps to manage your cyber security in the first place. It will not prevent a breach, it will not satisfy your legal and regulatory compliance obligations and it can never repair all the damage to your reputation, business or finances.

The difference between having a cyber breach or withstanding attacks is not about luck. It’s about a thoughtful programme which involves properly assessing your risks; implementing the right controls across technology, people and governance; assessing their effectiveness on an ongoing basis; and getting some assurance so you can sleep at night.

For further insights, explore the Bar Council’s cyber risk management partner Mitigo’s new guide, Cyber Security Matters. Or, for assistance with your cyber security, get in touch here.