:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/QYB4B7HITAS6QQTYHSUQP3GO4Y.jpg)
:fill(white):background_color(white)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/BHJJYYB5LSPCRVJO4X42HE22GA.png)
Cyber security is currently a hot topic in corporate boardrooms, with many more at C-suite level understanding the risks associated with cyber attacks.
Businesses of all sizes are exposed to potentially enormous reputational and physical losses as well as liabilities and costs as a result of cyber attacks and data breaches.
“Individuals and boards of directors also face increased exposure to legal actions. Expensive data breaches are now a fact of corporate life and therefore it has never been more important that businesses consider a well-designed and broad-coverage cyber policy, not only to cover the risks but also to provide risk-mitigating solutions to stay ahead of these threats,” Louise Kidd, head of liability and financial lines at AIG Ireland, says.
Brían Gartlan, risk and advisory services partner at BDO, says that while HR or funding risks would previously have been high up the agenda at boardroom level, cyber security is now one of the top three risks for any business.
“It wouldn’t have been to the fore in the last few years the way that it is now. Businesses would have wanted to think they were under the radar and not a target for cyber criminals but that would have been before ransomware came along. The smaller company is now no longer under the radar.”
But while C-suite level is well aware of the potential risks, boards often don’t really understand how to structure their organisations in order to deal with cyber-security, Tony Hughes, associate director, risk consulting at KPMG says.
“They know it’s a thing but they run scared of it. We try to break it down into three things for businesses – people, process and technology. By people I mean governance – the right people in the right positions, they then need to support those people with the processes, policies and procedures and only then do you think about the technology, as that underpins the processes and the people. However, lot of boards put money in, they buy that black box and as long as it flashes and they are not being attacked, well and good.”
Simple things
Head of 3Connected Solutions Karl McDermott says companies often need only do a couple of simple things in order to protect themselves.
“It’s about training people to understand what not to do, for example staff accidently opening phishing emails. They also need to change passwords regularly as 20 per cent of companies don’t change passwords ever. If they keep systems up to date and their virus and firewall software is up at the latest level, that will take care of 99 per cent of attacks. Most attacks come from already known viruses, so if their system is up to date and patched properly, the network will be able to protect against it.”
Hughes says it need not cost the earth to protect against attacks. “They need to look at their digital assets, which can be information but also appliances. Most important is their information – that is the life blood of any business. The cost of recreating that is very costly. It can cost very little if you have the right people in place. Identify the bad actors, who has access to the information and what can they do with it? All boards should be breach-ready, they have to understand in the minutes and hours after an attack, what do they do?”
The repercussions and reputational damage to a business cannot be overstated, he says. “With social media, everyone is a paparazzo so a company’s ability to respond quickly is critical.”