The annual assessment by the NCA Strategic Cyber Industry Group, ‘Cyber Crime Assessment 2016’, was a chilling assessment of how the UK is losing war against cyber crime which is mainly driven by international groups which are really organised using call centres with translators to cover many countries. The report described the obstacles they have found in many businesses to improving risk mitigation (As identified by the Strategic Cyber Industry Group):
- limited engagement by boards
- “box-ticking” approach to cyber security
- limited expertise
Cyber crime questions for your board
The report set out the questions that “we believe that boards should debate and try to find answers for”:
- Do you think you have been the victim of a material cyber-attack? Have you treated it as a crime and reported it? How have you investigated it? Have you received a detailed, yet understandable, report on the investigation?
- How do you measure attacks on your business? Do you record penetrations and data breaches you’ve suffered? Do you take into account direct losses and indirect costs, including damage to customer confidence?
- Have you asked independent testers to determinedly attempt a break-in, using realistic criminal techniques on live systems? If you have, what have they been able to extract?
- What are you doing to reduce the risks your customers face? How do you measure how successful you have been?
- Do you share information with competitors and law enforcement about the attacks you suffer? How do you make sure that your understanding of the threats you face is comprehensive, up to date – and meaningful to the board and top management?
- Have you engaged the entire board in planning – and practicing – to deal with a major cyber crime attack?
- Have your major suppliers and service providers been attacked? What damage was done and have you become a victim of crime as a result? How well are you doing in comparison with your competitors? How confident are you about your business’ cyber security and cyber resilience? How does the board test its confidence?
CTMfile take: Can your board and senior management answer these questions appropriately and effectively? If not, you might already be in big trouble as a serious cyber attack takes several months to set up - see.
Like this item? Get our Weekly Update newsletter. Subscribe today