Safe or safer? How to think about cyber risk.

“All our systems are offline…” “When will they be back?” “We can’t be sure… but we think it will take a long time…”

It’s the nightmare of every chief executive and leadership team. Public sector organisations and businesses of all shapes and sizes are increasingly under attack from organised groups who are continuously searching for vulnerabilities and opportunities to massively disrupt your services and profit from doing so.

The UK National Cyber Security Centre’s latest annual report provides a wealth of insight and useful context on the growing cyber threats that we all face, as well as practical guidance on steps that can be taken to protect against them.

How can leaders make sure that they are taking appropriate steps to mitigate their cyber risks, ensure they are as prepared as possible and be ready to respond to the cyber threat that all organisations face? How can you make sense of all the different dimensions of cyber assurance and resilience and take the steps which will make the biggest difference?

Here are some ways to reframe your thinking about cyber risk to help your organisation safeguard against its worst effects.

The prevalence and sophistication of modern cyber crime means that no organisation can be considered ‘safe’ from the risks. Instead, they must invest continuously in ways to be ‘safer’ and make decisions on how much to invest to be ‘safe enough’ when balancing all the competing demands on their budgets.

Whilst accountability for security must be represented at the highest possible level in your organisation, it is every leader’s job to keep the business safe and take an active role in maintaining your cyber posture.

Given that many of the key strategic levers in cyber protection are non-technical, your security can not simply be the responsibility of the IT team.

Here are some examples of questions that different leaders should be asking to help their organisation safeguard against cyber risk.

• As the chief finance officer, how are our investment decisions impacting cyber risk?

• As a service leader, how effectively am I working with digital colleagues to make sure that the business priorities we set are helping tackle the risks presented by legacy technologies? Am I confident in my service’s resilience and business continuity preparations?

• As the chief people officer, how can I support wider capability building and development of a positive learning culture around cyber, as well as building a digitally confident workforce and recruiting the cyber skills we need? Am I confident that our organisational culture won’t result in risks hiding out of sight because people aren’t confident to raise concerns?

• As a communications leader, how can I give our customers confidence in the security of our systems and the data we hold? Are my teams in a position to be able to respond quickly as part of the core recovery team to reassure our customers and keep them updated if an attack were to happen?

• As a non executive director or member of the Audit and Risk team, what do I need to know in order to support the organisation effectively? Do we need people with cyber specialism and experience as part of the non-exec team and advising our Audit and Risk committee so we can be confident that we are asking the right questions?

And as any leader within an organisation, a critical part of guarding against risk is to speak to the team you’re leading. Risk can be hidden in reports - find out how the work of your team intersects with cyber security and what they might be worried about.

As we’ve seen from recent attacks, organisations can experience very serious service impacts as a result of successful attacks on partners and suppliers, even if their own systems remain secure.

It is essential to have a clear understanding of the partners and external suppliers who are essential to your service delivery; and to work in partnership effectively to keep the whole ecosystem safer. Using your procurement levers to design in resilience across your ecosystem will be a critical part of your assurance.

The full extent of your partnerships and supply chain can be vast. It’s essential to have a clear view of where, for practical reasons, you should apply a reasonable level of trust or assumption, and where you need to focus your attention to address the greatest risks.

Recruitment is a challenge for all organisations, particularly finding people with the right skills and expertise in cyber. Some organisations are already working together to share key strategic roles and / or using expert partners to boost skills, knowledge, and capability. Done well, this can be an effective use of limited resources.

The people who want to attack you are sharing ransomware code, vulnerabilities and opportunities with each other. Your defences and resilience arrangements will be stronger if you are able to do the same with your partners, suppliers and peers.

The risk of a cyber attack is a question of ‘when’ rather than ‘if’. Building strong relationships across your organisation, and also with partners and suppliers, enables you to develop a network of support that will prove vital when the worst happens.

Building those relationships means developing a culture that has collaboration at its core, and supports rather than blames.

Cyber threats are continuing to evolve at a rapid pace, and the criminals carrying out these attacks are highly motivated, well resourced and determined. They only need to succeed once, you need to protect all of your systems all of the time.

It isn’t possible to eradicate risk entirely, and some of the legacy technologies on which your organisation relies are likely to be complex to upgrade or replace. Nonetheless, it is critical to make the sustained investment and effort to ensure that you have the right levels of cyber resilience, and that you are designing security in depth to protect your organisation, even where less inherently secure systems still have to be used.

We can support senior leaders and executive teams to plan and deliver raised levels of cyber assurance and readiness. Our team brings together highly experienced strategic leadership and technology and resilience expertise, with people who have personal experience of preparing for, mitigating and responding to cyber threats.

We can help demystify the technology, support you in taking stock of your current position, and help you develop your strategic plans to make your organisation and ecosystem as safe as possible.