Why Cyber Resilience is about more than just IT

The government is bringing in more regulations on cybercrime with an increasing emphasis on non-technical issues.

The growing threat of cyber-crime and the increasing number of attacks has persuaded the government that its existing measures and incentives are not enough. This review is part of their attempt to create a new cyber resilience strategy which encourages businesses to adapt to the real risks that they will face.

A core element of this new drive is the emphasis on practices rather than technology. In its report, the government states: “Cyber resilience cannot be seen simply as securing data or procuring the latest technology: it is about identifying critical services and infrastructure, assessing vulnerabilities, ensuring that the appropriate mitigations and systems are in place, and creating a supportive governance structure.”

It's a common misconception to view cybercrime as a high-tech threat which requires high-tech responses. While technology does play a role, such as in highly sophisticated attacks, for example, the Solar Winds incident, for the most part cybercrime is focused on basic phishing, ransomware and denial-of-service attacks which rely on human error to get past defences.

Cyber threats not only a tech-based issue – Consider human error

Those businesses who view threats as purely a tech-based problem which can be resolved by securing systems and procuring the latest technologies, will be overlooking their most important vulnerability – their own staff. Poor cyber hygiene and policy conduct remains rife across all businesses.

According to data from Yubico, 54% of employees use the same passwords across multiple accounts. According to the Cyber Breaches Survey of 2021, 39% of businesses reported having suffered a breach in the previous 12 months but only 35% of organisations had taken action to assess their risks through security monitoring.

The consequences of an attack will involve more than just action from the regulators. Research suggests that 33% of account-compromise victims stop doing business with those companies which leaked their details. Cyber security is a business and a regulatory risk but, as the government’s review states, it has become clear that the market cannot drive these changes itself. It will require new government interventions, which in effect, will mean more regulation.

Stricter non-compliance rules

New rules include stricter regulations for more firms with larger fines for non-compliance and new measures on incident reporting and attempts to drive up standards in the cyber security profession. The government is looking to improve the way in which businesses report cyber incidents to make the entire process faster and more capable of reacting to the tight timeframes required.

These new rules indicate the direction of travel with the government placing more emphasis on governance and practices aside from just technology. In a world of interconnected business, cybersecurity is an issue which extends far beyond just the IT teams. Every aspect of corporate governance will impact personal behaviour and the extent to which any organisation is exposed.

To keep pace with both the evolving threat landscape and new regulation, therefore, businesses will have to ensure they are constantly reviewing their governance processes, implementing robust protocols, and monitoring staff behaviour to check on compliance practices.

Despite the high-tech nature of cybercrime, it is these simple, and very human aspects, that can often cause the most damage.

To speak to us or subscribe to our newsletter please contact us here.

Or message us via the chat icon in the bottom right corner of your screen.