Cyber is strategic risk that needs better management says UK government in new guidance
The is designed to help top management understand how to safeguard a company’s most valuable assets, such as personal data, online services and intellectual property.
It aims to reinforce the idea the cyber world represents a strategic risk that needs to be managed at board level.
The new guidance is much needed, said the UK’s Department for Business, Innovation and Skills (BIS) because ‘currently, too few company chief executives and chairs take a direct interest in protecting their businesses from cyber threats’.
hide
The initiative should help risk managers to drum up support and resources for their cyber risk management efforts and has been welcomed by Zurich as an important step in dealing with this emerging risk.
Produced by the CESG (the Information Security arm of Government Communications Headquarters otherwise known as GCHQ), BIS and the Centre for the Protection of National Infrastructure (CPNI), the new guidance is directly targeted at the most senior levels in the UK’s largest companies.
It is predominantly aimed at company boards, their chairs and chief executive officers and builds on a key objective within the government’s Cyber Security Strategy to work hand in hand with industry and make the UK one of the most secure places in the world to do online business, said BIS.
The guidance was launched last week at an event attended by FTSE 100 CEOs and chairs and ministers from BIS, the Foreign Office, the Cabinet Office, the Home Office and senior figures from intelligence agencies.
Speaking at the event, UK Business Secretary Vince Cable said: “Cyber security threats pose a real and significant risk to UK business by targeting valuable assets such as data and intellectual property. By properly protecting themselves against attacks companies are protecting their bottom line. Ensuring this happens should be the responsibility of any chief executive or chair as part of an approach to good corporate governance which secures a business for the long-term.”
Foreign Secretary William Hague, as minister responsible for the Government Communications Headquarters, added that ‘the UK is committed to building a secure, resilient, open and trusted internet. We are working with partners across the globe to ensure this vision becomes a reality. A networked world brings many advantages. But cyberspace—and cybercrime—knows no borders. Businesses must be alert to the dangers. Drawing on GCHQ’s experience and working with industry the government is committed to helping reduce vulnerability to attacks and ensure that the UK is the safest place in the world to do business.’
The Cyber Security Guidance for Business consists of three products.
The first product is aimed at senior executives. It offers some high level questions that BIS believes will help executives to determine their critical information assets, support them in their strategic level risk discussions and help them ensure that they have the right safeguards and cultures in place.
The second product is an executive companion that discusses how cyber security is one of the biggest challenges facing business and the wider UK economy today.
It offers guidance for business on how together with UK authorities they can make the UK’s networks more resilient and protect key information assets against cyber threats. The document focuses around key points of risk management and corporate governance and includes some anonymous case studies based on real events.
The third product supports the executive companion and provides more detailed cyber security information and advice for 10 critical areas, covering both technical and process/cultural areas.
“If implemented as a set it can substantially reduce the cyber risk by helping to prevent or deter the majority of types of attacks. For each of these 10 areas, we have summarised the issue, outlined the potential risks and provided some practical measures and advice to reduce these risks,” said BIS.
To highlight the growing importance of the cyber world to the global economy BIS highlighted some key figures as it launched the guidance.
It pointed out that there are 2 billion internet users worldwide and that the internet accounts for 3.4% of GDP in the top 13 ‘cyber-mature’ countries.
The internet also accounts for 21% of GDP growth in the last 5 years in mature countries and provides 2.6 jobs created for every job lost.
Zurich has welcomed the new guidance in the UK.
Cyber is one of the biggest risks currently facing UK plc, with organisations increasingly reliant on the internet to deliver services, it said. “However, there is still a very limited understanding of all the associated risks, such as privacy and security,” it added.
Zurich is currently in the process of carrying out a comprehensive study with Ferma and Harvard Business Review into these risks.
Geoff White, Senior Underwriter Technology, Zurich Insurance said:”This is an area that is constantly evolving, and it’s the responsibility of all of us to work together to minimise the risk from cyber attacks. As technology advances new risks emerge, with the greatest being those posed by cloud computing. With new EU privacy legislation due within the next two years, business must invest time and resources to protect themselves and their customers”.
Zurich this week also published new research into cyber risk at UK SME firms.
According to the research nearly two thirds (61%) of UK small businesses fear a cyber-attack and data loss incident. Senior UK SME decision makers ranked these two areas as the top technological business risks.
Nearly one fifth (19%) of web-based SMEs view ‘exposure to the cloud’ as a threat.
Such concerns over cyber-security occur at a time when 24% of UK SMEs currently conduct all or most of their day-to-day business on the internet, according to Zurich figures.
Over one in ten (13%) are looking to expand overseas via web trading and internet sales in the next year. This figure rises to 18% amongst web-based SMEs.
“Expansion plans reliant on the web, while more streamlined and cost effective, will undoubtedly increase the level of data received and therefore the amount that needs to be managed. This will heighten the chances of a cyber-attack unless key preventative measures are taken,” said Zurich.
Richard Coleman, Director of SME at Zurich Insurance, commented: “These findings emphasise the fact that the increased threat of cyber crime to UK small businesses brings a new sense of vulnerability to this sector which, as we have already seen, can have disastrous consequences for businesses.
“Companies understandably feel exposed by both more established cyber threats and also new emerging risks such as those around cloud computing. But it is vital that they are prepared for the unexpected and implement clear, effective strategies and frameworks to tackle any cyber incident that may occur,” he added.