Companies Must Focus More on Cyber Resilience
The pandemic heightened businesses’ reliance on digital technology. In doing so it prompted regulators to up their expectations on cyber resilience.
Major economic crises tend to focus regulators on the key issues. In 2008 it was balance sheets and now in 2021, it’s operational resilience – more specifically, cyber security.
Technology to the rescue
Technology rode to the rescue of businesses in 2020. It enabled them to keep working in an unprecedented climate. Had this happened 13 years ago, without the same ability to work remotely, the impact could have been unthinkable. This time though, many businesses found it surprisingly easy to shift into a digitally driven remote working environment.
This unexpectedly positive experience injected renewed energy into the digital revolution. Those companies who were still uncertain about digital transformation found themselves pushed into taking the plunge.
Increased exposure to cyber risk
However, with more and more business functions becoming increasingly reliant on digital technology, our economy has become more exposed to cyber risks. As a 2018 report from the FCA showed, cyber resilience was a top concern for businesses even before the pandemic. Even so, almost three years later, most companies are falling short. Not only have they not put measures in place, but many do not even have a firm grasp of where or why they are vulnerable.
Now regulators are demanding they up their game. Across the world, governments have taken numerous initiatives requiring companies to do more to ensure cyber resilience.
Data as an opportunity rather than a risk
In the UK, the National Data Strategy Forum was launched to make the UK an international hub for data. This includes guidance on how firms should share data. The National Data Strategy consultation received responses confirming the need for action to ensure the UK takes control of the benefits of better data usage and unanimously agreed that the National Data Strategy provides the appropriate framework. Embracing data as an opportunity for driving innovation and productivity across the economic landscape was noted, instead of seeing it as a threat to be managed, considering the risks such as data breaches and cyber-attacks.
The consultation’s themes included:
· Risk assessments: Businesses should carry out thorough risk assessments to identify how and where their operations are likely to create vulnerabilities.
· Strategy: Cyber resilience should be a key component of business strategies. It’s something which should include buy-in from the very top of the organisation. Everyone from the CEO down to front line workers should understand how their work influences risk.
· Incidence responses: Such is the proliferation of cyber-attacks, that a significant breach is highly likely. If – and when – it does happen, much will depend on how robust incidence responses are. For example: how quickly are threats detected, and could firms take action to limit the breach and repair any damage inflicted upon their customers?
· Vulnerabilities and threats: The threat landscape is constantly changing. Firms will need to identify new threats as and when they arise and what new vulnerabilities these expose them to.
In short, regulators demand firms do more to adopt a best practice approach to cyber risk and will take this into account if issues arise that potentially trigger regulatory sanctions. This includes a host of issues such as SSL monitoring, the security of apps, website security and patch management. Businesses are required to understand what technology they use, and what risks it exposes them to. This incorporates the expectation of adequate technical and organisational resources, as well as adequate contingency planning to be in place to prepare for evolving threats such as denial of service attacks, phishing, network security, third party risk and many others.