With technology sophistication continuously developing, a significant reliance on connected devices

and an ongoing lack of corporate awareness, cyber-attacks in the modern workplace are more
prevalent than ever. Attackers are becoming more judicious, and companies must respond quickly to
protect their assets from potentially imminent breaches.
In the UK alone, approximately 2.9 million companies are attacked by cyber criminals annually, with
cyber-crime costing an estimated £27bn every year. A lack of cyber security knowledge is an
expensive mistake to make – Tesco Bank was fined £16.4m for security failures after a cyber-attack in
2016. Throughout 2019 and beyond, cyber risk should be high on the business and boardroom
agenda.
Assessing your own risk is an important first step to mitigating it, and understanding the cyber
dangers in your organisation will allow you to tailor your approach to cyber-security investment
accordingly. The purpose of a cyber risk profile is to measure your insurability, and can help
businesses determine how vulnerable they are to cyber-attacks. Companies conduct a traditional
risk profile to guide how investments are allocated, and in the same way, a cybersecurity risk profile
outlines a company’s known risks, policies and practices to monitor how far you need to go to
protect assets and data. Once you've looked at threats and determined your own exposures, an
authority on cyber, information security and risk management, like the Information Security Forum,
(ISF) can help you quantify risk and tackle the extensive security challenges that effect business
today.
Typically, many enterprises concentrate primarily on deterring cyber-attacks, but employing a
resilience-based approach equips a company, enabling it to adapt to change. The Ponemon Institute
released its fourth annual ‘The Cyber Resilient Organization’ report in April this year, including 3,655
IT and security professionals, covering 11 different global markets: the US, Canada, India, Germany,
Japan, Brazil, the UK, France, Australia, the Middle East and Southeast Asia. In the study, 960
respondents (26%) were recognised as high performers. How are these companies accomplishing
this heightened level of cyber resilience? To sum up, the high performers have robust response plans
in place, they address the skills gap and they have leadership that values these skills and
acknowledge the importance of cyber resilience. Finally, these top companies are more likely to
participate in threat intelligence and data breach sharing partnerships.
Cyber fears continue to haunt business owners, and the risk often begins within the company.
Although employees are a company’s greatest asset, they are also potentially its greatest risk, and
while that has always been true in the area of customer relations, it’s now equally applicable to data
security. More than 25% of cyberattacks involve insiders, (intentionally or unintentionally) according
to Verizon’s 2018 Data Breach Investigations Report, and the snowballing number of connected
devices together with the growth in remote working, has led to an increase in opportunities for
cyber-criminals, making it even more imperative that employees are engaged, encouraged and
equipped to spot threats.
How can you protect your business? Human error in cybersecurity is still a leading cause of many
data breaches, so education is vital. Organisations need to empower employees to take more
personal responsibility for protecting critical and confidential information. Employees need to know
the risk their online activities pose and how to manage it, because a lack of awareness, responsibility
and accountability simply facilitates cyber-crime. Engaging staff in the cyber-security discourse
allows them to be more alert during early-stage phishing problems, and therefore more likely to

report and stop a breach before it happens. Employees need to understand that they are a cyber-
crime target, and be invested to recognise and avoid attacks. Partaking in cyber security exercises
will help your employees and business in the following ways:
– Reduce errors
– Enhance security
– Increase compliance
– Protect reputation
– Save time and money
– Maintain peace of mind
Business leaders can improve their ability to handle cyber-attacks by running cyber security
exercises, increasing knowledge and reducing the impact should a real cyber-attack occur.
‘Performing cyber security exercises can help organizations improve their ability to detect, investigate
and respond to cyber-attacks in a timely and effective manner, ‘said Steve Durbin, Managing
Director, ISF. The ISF’s ‘Delivering an Effective Cyber Security Exercise’ report was released to ISF
members, and provides a detailed overview of suitable cybersecurity exercises, how to deploy them
effectively and protect your company.
On account of the introduction of cloud solutions and more advanced technologies, cyber-defence
simply has to be a company-wide commitment. Employee engagement, from the bottom right up to
the board, is essential for effective cyber-security. It must be viewed as a leadership problem, not
just a technical problem, and establishments hoping to develop their cyber-security posture must
give staff the right tools, knowledge and resources to protect the company. The board is responsible
for governance and oversight of risk, so the development of a strategic framework should fall under
their remit. While board members may not be cyber-experts, it’s their knowledge, expertise and
general understanding of risk management coupled with their stewardship, which are essential to
nurture a cyber-resilient organisation.
Digitisation brings so much to the business table, but organisations will have to educate and adapt to
reap the benefits. Cyber-security risk is still a significant board agenda item that shows no signs of
abating, and maintaining resilience in this complex age comes down to the correct blend of people,
processes and technology.