Skip to content

Cybersecurity and risk management

The topic of cybersecurity is seldom out of the press, occupying the minds of business leaders and politicians alike. From a business perspective, the ideal outcome would be to eliminate cybersecurity risks entirely. However, two things are clear. First, there is no panacea for the diverse and ever-evolving range of threats that exists. Second, there is no such thing as zero risk. A business must therefore design and implement cybersecurity plans that are focused on risk management and minimisation.

Possible consequences of a cyber-attack include: 

  • reputational damage and loss of customer confidence; 
  • loss of valuable corporate information and trade secrets; 
  • regulatory action and significant fines; 
  • follow-on lawsuits from customers/partners and/or shareholders; and 
  • serious business interruption, distraction and resource wastage.

At worst, a cyber-attack could be catastrophic, putting a company out of business.

Forming a cybersecurity plan

A cybersecurity plan should serve the dual purposes of, firstly, reducing the chances of any successful cyber-attack, and secondly, limiting the consequences of any cybersecurity breach.

No single plan or standard is suitable for all companies, or even for all companies in an industry or sector. Instead, cybersecurity planning should entail a risk-based approach which is tailored to each business.

Take into account:

  1. Types of data held: Some data types will be more sensitive than others, whether because of their inherent value or because of the damage that a leak could cause (eg customer, personal, financial, technical, medical or employee data, etc). Regulators will be concerned that companies should be more protective of some data types than others.
  2. IT systems and data stores: An assessment of the risks and vulnerabilities within all IT systems, processes, networks and data stores is an essential starting point. The future IT development roadmap should also be taken into account during cybersecurity planning.
  3. People within the business, their methods of working and their locations: Employees will always be a major contributor to cybersecurity risk, whether due to inadvertent errors or deliberate action. The same is true for people interacting with the business as customers, suppliers or other third parties. Consider working practices and how these can be policed.
  4. Regulatory environment: Some regulators are highly engaged with issues relating to cybersecurity and are taking the lead in setting expectations and standards.
  5. Emerging industry practices/standards: While few industry standards on cybersecurity exist, take into account any emerging standards or practices. Engage with industry bodies and governmental agencies to benchmark against the wider industry.
  6. Analyse the most likely threats facing the business: Total awareness of all threats will be impossible, but attempting to identify them is nonetheless essential. Certain features of the business/sector/industry may also give rise to specific risks (eg targeting of the financial sector).
  7. Analysis of interdependencies: Interconnectivity with outsourced vendors/suppliers, partners and customers forms a key part of the cybersecurity landscape. All of these stakeholders need to be involved to some extent in forming a coherent cybersecurity plan and, if possible, a common level of preparedness.

A review of these factors should lead to a comprehensive risk matrix with details of the likely impact of any breach/failure and the potential steps available (and resources needed) to address each of them. This matrix forms the basis for a strategy setting out which risks and response elements to prioritise. The resources dedicated to each risk can then be tailored according to their severity and priority.

Of course, budgetary reality will always play a part and companies will inevitably have to make choices, but these must be justifiable when subject to later scrutiny – no actions should be taken (or not taken) simply by default.

The simplest measures should usually be the top priority. If an organisation's cybersecurity measures are ever subject to post-hoc scrutiny, whether by a regulator, a partner company, a court or the media, the failure to take basic steps will be the least easy thing to defend – it is little use engaging expensive and sophisticated solutions if more straightforward and well-known ones exist.

Responding to crises

A good cybersecurity plan must also recognise that it cannot guarantee success and that cyber-incidents may occur. Time is always of the essence when disaster strikes, both with regard to identification and control of the attack, and also in taking steps to mitigate its effects (eg communications, disaster recovery).

A cyber-response plan must involve a wide range of stakeholders, both at inception and when put into action. A governance regime should be agreed in advance, with a "playbook" in place as to how incidents of different types should be dealt with, both internally and externally. Appropriate resources and advisers, including (forensic) technologists, public relations managers and legal and regulatory experts, can be identified and may need to be contracted ahead of time.

Policies and education

Given the potential for entire business processes to be affected, all staff must be educated to view threats to cybersecurity as a shared problem. Procedures should be documented and reinforced through training and drills. IT security fundamentals must not be forgotten (eg strong key and password management, awareness of phishing). This should be reinforced with frequent audits and communication from the Chief Information Security Officer, or even the CEO. An institutional approach to cybersecurity is important (for example, a printout of customer names and addresses left on a train by a careless manager has just as much potential to cause a problem as customer data stolen by a hacker).

The board and executive should set the tone from the top, educating themselves as to the risks and ensuring that they receive meaningful reporting to allow readiness and performance to be measured.

Data protection, trade secrets and cloud technologies

For many companies, a thorough (re)consideration of cybersecurity risks will come at the same time as planning for other technological and legal developments. These include the potential transition of IT systems to the cloud, planning for compliance with the EU's new General Data Protection Regulation, and refreshing trade secrets strategies in view of the EU Trade Secrets Directive. Some will also be affected by the security and reporting regime to be introduced by the Network and Information Systems Directive or sector-specific rules and regulations. This only reinforces the need for all relevant stakeholders to be involved in planning for cybersecurity – a single plan which coherently deals with all of these issues will almost certainly be more successful than several separate plans formed in isolation.

A final word

Finally, as with any compliance system, a cybersecurity plan has the potential to be a double-edged sword. If it is followed and implemented, it will be an asset and a defence; if it is not, then the negligence will be conspicuous and the plan will have become a liability. This means that, not only must the plan be put in place, but it must be adhered to and kept refreshed. No single approach or level of investment can "solve" the cybersecurity problem. Instead, cybersecurity must be viewed as an ongoing aspect of business operations and one that is kept under constant review.

Legal and Regulatory Risk Note