Cyber security is now a top issue for many firms. In fact, it’s frequently listed alongside disruptions such as business interruptions, climate change and economic upheavals as among the biggest threats enterprises face.
However, despite this, there may still be a tendency in some organisations to treat cyber security as solely being the responsibility of the IT department, which may see many firms take a ‘hands-off’ approach that does not give the issue the importance it deserves.
In fact, the National Cyber Security Centre stresses that protecting businesses’ systems from breaches must now be a board-level issue, with senior personnel taking the lead in planning for and responding to any security incident.
The business consequences of a cyber security breach
The business consequences of a cyber security incident or data breach are higher than ever, be this in terms of lost business, financial penalties or a hit to your firm’s reputation. And this means it will ultimately be up to the board to deal with the fallout of an attack.
One major risk is the potential for direct business disruption if an attack knocks key services offline. For instance, it was recently revealed that foreign exchange firm Travelex is expecting to lose around £25 million as a result of the ransomware attack it suffered at the start of the year, which saw staff resorting to pen and paper as critical systems were taken down.
Another factor to consider is the strict rules of GDPR, and the penalties that can be imposed under the legislation. For starters, the rules now have tough reporting requirements for breaches, so businesses will no longer be able to sweep cyber incidents under the rug. As a result, security failings are likely to have a direct impact on a firm’s reputation as they will have to publicly reveal any issues.
Added to this will be the potential for large fines – up to €20 million or four per cent of a company’s global turnover. As penalties of £183 million and £99 million issued by the Information Commissioner’s Office last year to British Airways and Marriott respectively show, regulators are very prepared to use their powers and send a clear message that they will come down hard on any company that isn’t meeting its obligations.
What it means for your operations
What this all means is that, with the bottom line almost certain to be impacted by any incident, senior staff will be forced to take ultimate responsibility for any incidents, with shareholders and customers alike demanding answers as to why key personal and business data was not protected.
This is not just an issue for large enterprises. Smaller firms are just as likely to come under attack, often because these companies are perceived as having weaker defences or be useful gateways into larger partners. For these firms, a cyber breach can be even more devastating, and potentially put the entire future of the business at risk, so it’s essential everyone is paying attention to security defences.
As well as safeguarding your business from negative consequences, there are other advantages to ensuring senior staff play a leading role in security planning. For instance, if the most senior personnel throughout the business – and not just from the IT department – are prioritising cyber security, this sends a clear message to other employees that it is to be taken seriously. This filters down and ensures people at every level of the company are engaged with the issue.
There are therefore many reasons why everyone has to take responsibility for cyber security – and if you’re not doing this, you will almost certainly have a difficult explanation ahead should your firm suffer an incident.
Find out more about how you can defend your firm from cyber attacks in our new white paper.