Across a three-part series of short articles, we are going to take a look at some aspects of increasing the resiliency of your business. Done right, these areas will help to build a solid foundation from which you can grow your business. Conversely, if done poorly, these areas can have disastrous consequences for your firm.

We previously considered the importance of organisational and risk culture

Here, we look at the key considerations around cyber security.

Cyber is one of the main risks to all firms, regardless of size, and it is a constant threat, from hidden sources.

In its 2022 Cyber Security Breaches Survey, the Department for Digital, Culture, Media and Sport highlighted the following statistics:

  • 39% of organisations and 30% of charities experienced a cyber-attack in the last year.
  • The most common threat vector was phishing attempts (83%). Of the 39% of organisations attacked, one in five identified a more sophisticated attack type such as denial of service, malware or ransomware attack.
  • £4,200 is the average cost of a cyber-attack, rising to £19,400 for medium to large organisations.
  • Only 19% of surveyed organisations had a formal incident management plan in place.
  • Just over half of businesses surveyed (54%) acted in the last 12 months to identify cyber security risks.

What are your thoughts on these statistics? How prepared do you think your firm is to deal with a cyber-attack? Have you accepted that you are a target regardless of your size and the industry you operate in?

Some key points to consider include:

  • Your information assets: Do you know what they are? How would your business be impacted should they be stolen / leaked on the dark web? How severe would be the reputational damage?
  • What would be the impact of a denial of service attack? How much of your business is online/technology driven?
  • What security policies do you have in place? Are they tested regularly? Have you thought about Cyber Essentials Plus accreditation?
  • Do you have an incident response plan in place should there be a cyber event?
  • Who is responsible for cyber risk within the firm? Is there regular staff training to help identify potential phishing emails or spoofing?

As you can see, cyber risk needs to be managed at both the Board and technical levels. Everyone in the organisation should be aware of cyber threats.

If there is any doubt over the above questions, you should be raising these concerns with your IT team or your IT service provider and challenging them.

How can we help?

If you need any assistance in developing an incident response plan or more information on external cyber resources that are available, please contact our Head of Risk, Phil McCrossan.

Risk Consultancy Service