Investing to prevent a Cybersecurity breach can save you millions

2023-02-08

Hear from MD, Eamonn Bunting DipIoD, on his thoughts around investing to prevent a cyber security breach.

Information security and cyber security have long been seen as related but not identical subjects – information security being about protecting information in all its forms and cyber security being about protecting electronic data, with a focus on computers, networks, servers, mobile devices and so on. But such has been the rapid rate of digital transformation in recent times that information security has effectively now been absorbed into cyber security. And the instances of cyber security attacks have risen rapidly and are set to increase further in the years ahead.

By 2025, according to Gartner Inc, 30 percent of critical infrastructure organisations will experience a security breach that will result in the halting of an operations or mission-critical system. Organisations have become far more vulnerable to cyber threats because digital information and technology are now so heavily integrated into day-to-day work. The attacks themselves, which target both information and critical infrastructure, are also becoming far more sophisticated.

The fact that the European Commission recently proposed a cyber defence policy in response to Europe’s “deteriorating security environment” since Russia illegally invaded Ukraine earlier this year, shows how high up the agenda cyber security is. The Commission – citing recent cyber-attacks on energy networks, transportation infrastructure and space assets – called on member states to “significantly increase” investments in cyber security capabilities.

But cyber security can be managed, and the threat lowered. And this could potentially save your organisation millions of pounds.

Technology solutions are just a small part of the picture, and an audit is critical to an effective risk management strategy. It’s something we have significant expertise in through ANSEC AI, which became part of Outsource Group this year, and the highly specialised ANSEC team.

Our approach to cyber in the audit requires us to look at security from two different perspectives. Firstly, as a standards and regulatory driven approach where the baseline is pre-defined, and secondly as an event and risk driven approach where risks are constantly changing and the means of attack evolving.

In the aftermath of a cyber or data related incident, we very often see things that could have been identified and predicted by strong governance and audit programmes. It is therefore important to integrate cyber into any risk management and audit programme. It is also important to align organisational and technical risk.

Following a data related incident, the first question we ask is around the sensitivity of the data processed and stored on the IT applications and network used to deliver services.

According to the Information Commissioners Office (ICO), a key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is known as the ‘security principle.’

Meeting the security principle requires organisations to consider things like risk analysis, organisational policies, and physical and technical measures. They must also consider additional requirements about the security of processing activities. The ICO states that, “you can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.”

The measures must also enable an organisation ‘to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.’ To provide confidence in the ability to do this, ‘organisations also need to ensure that they have appropriate processes in place to test the effectiveness of the measures and undertake any required improvements.’

Identifying what is required involves understanding the link between ‘organisational and technical measures.’ Technology risks should be recorded and aligned with managing the organisational view of risk. This organisational view of control can then be independently reviewed by audit, providing an independent opinion on their operational effectiveness before an adverse event occurs.

And preventing an adverse event is key. The cost of suffering a cyber security breach can be extremely high. IBM Security research suggests that the average total cost of a data breach is almost $4million. But the effects aren’t just direct monetary costs. The impact on reputation, confidence and credibility can also be very costly. Well-managed organisations will invest to stop breaches from happening in the first place and ensure they have a recovery plan to prevent data loss.