Why cyber risk management is not the same as IT support

In association with

Cybercrime is sophisticated. Methods of attack constantly evolve. Security should be at the top of your risk register. Firms must adopt cyber risk management systems and not assume that their IT function has it covered. 

Ask yourself these questions.

1. Who is currently undertaking and documenting your cybersecurity vulnerability risk assessment?

This is a legal requirement and is the essential first step towards security. It should be undertaken periodically by someone with cyber risk management experience who knows the current methods of entry and forms of attack, such as email account takeover and ransomware. It provides an assessment of your vulnerabilities. It must include scanning and probing for vulnerabilities in your technology and its current configuration. It must also include assessing the risks associated with people and the way they use the technology; your systems of work; your interaction with clients and suppliers; the platforms you rely upon; and much more. 

2. Who is configuring your security?

Your vulnerability assessment provides visibility of risk.

A cybersecurity professional can now configure your technology appropriately. This is a specialist job – configuration must provide protection without interfering with functionality. Firewalls, antivirus, email setup, logins to cloud platforms, personal devices, remote connections, backups, access rights, user privileges, logs, and detection alerts, are on a long list of areas requiring attention. Equally important are the other organisational controls and governance necessary to protect against the risks identified.  

3. What about legal and professional requirements?

Does your security adviser know how to comply with your legal obligations to secure personal data, and the obligation to review all measures on an ongoing basis? Do they know your regulatory obligations (protecting client funds, confidentiality, running the practice in accordance with proper governance and risk management principles etc)? Are they satisfying your record keeping obligations? 

4. What about staff cybersecurity awareness training?

You must make staff aware of the dangers which exist, the tricks used to gain access to credentials and systems. Over 60% of breaches are caused by staff error. So regular training is essential, as well as a legal obligation. And test that the training is working, by simulating attacks. 

5. Have you got the right policies and procedures in place?

Defining and communicating policies and procedures helps prevent security incidents. It is also another legal obligation. Have staff sign for a cybersecurity staff handbook as part of training, then everyone knows the rules and what is expected of them.

6. Are you buying security software which you do not need and which is not solving your security problems?

Buying additional software will rarely solve security problems.
It just creates a false sense of security.

Worse still, we find many firms have been persuaded to purchase a patchwork of expensive security software and ad hoc deployments with overlapping functionality. In most cases, their existing technology had perfectly good protection built in, if only it were correctly configured.

7. Who is helping you reply to questionnaires and assessing your own supply chain?

Firms are increasingly asked to satisfy clients and insurers about security arrangements. Your security professional should be able to take care of this. They should also be advising you on the type of questions you should be asking of those with whom you share your clients’ data (such as counsel).    

8. Who is providing ongoing assurance that security controls remain appropriate and effective?

A basic principle of risk management is that assurance be independent. It is neither sensible nor fair to expect your IT people to be cybersecurity experts or to mark their own homework. Nor will their professional indemnity insurers when a breach occurs.

Assurance is not a one-off check. Over time, your technology will change, as will the threats, forms of attack and methods of extortion. Testing and auditing your security configuration and controls must be undertaken on a regular basis to ensure your defences still protect you. Again, checking the effectiveness of your security measures on an ongoing basis and recording thisin writing is now a legal obligation.

If you still think your IT support are the right people to be looking after your cyber risk management, you are now lagging behind the field and are likely to suffer a breach. 

Managing cyber risk is an important board level responsibility. It is time to stop hoping you are secure and start proving you are secure. 

This article was produced by Mitigo. Take a look at their full service offer.
For more information contact Mitigo on 0131 564 1884 or email lawscot@mitigogroup.com