The case for taking cyber risk management seriously

The case for taking cyber risk management seriously

On 5 March 2019, the UK’s Department for Digital, Culture, Media and Sport (DCMS) published its 2018 FTSE 350 Cyber Governance Health Check that seeks to assess how businesses understand and oversee risk management measures that deal with cyber security threats to their business.

The findings make, said Digital Minister Margot James MP: “A compelling case for continued and enhanced action to embed cyber security risk management.”

In brief, the Health Check found that while company boards generally consider cyber resilience a strategic risk to their organisations, they:

  • Are not sure they receive information about it in the most business-relevant way
  • Do not really understand the impact that a cyber attack could have
  • Fail to regularly assure themselves that their incident and crisis plans are fit for purpose

‘This is all good and well, you might think, ‘but why should I care? The last time I checked I ran a small business, rather than a publicly listed multinational company.’

Well, first of all, the Health Check provides a barometer of how corporate Britain is responding to the ongoing challenges of cyber threats and its findings are intended to be useful to organisations of all sizes.

Secondly, a comparison between what the Health Check tells us about FTSE 350 businesses approach to cyber resilience and how SMEs are advised on cyber security, unearthed interesting conclusions.

Unsurprisingly, cyber risk management processes and arrangements in FTSE 350 companies are generally more mature than those of SMEs.

This isn’t uniquely a cyber issue but in many ways a reflection of broader corporate governance challenges for the small business community, a result at least in part of the heterogeneity diversity of SMEs, their limited access to resources and fewer formal structures and hierarchies in place.

Arguably, it is also a result of the way in which cyber security guidance and advice has been tailored across the different business communities. While advice for large companies tends to focus on strategic (cyber) risk management, guidance for SMEs tends to be predominantly tactical, putting technical controls – strong passwords and data back-ups, for example – front and centre.

Upon launching the Health Check, DCMS announced a new cyber resilience metrics project that will devise a set of risk-based principles to allow companies to understand their level of cyber resilience and learn how effectively they are managing their cyber risk profile.

That said, the tactical focus of SMEs’ cyber advice on technical controls might not do them justice in the long-run. What’s more, it becomes pretty obvious that size does not matter in relation to the cyber principles upon which organisations ultimately measure and assess their cyber resilience and maturity.

The mantra that cyber security should add value to an organisation, align with its business objectives and be properly integrated into decision-making processes applies regardless of your size. This is not to say that SMEs should suddenly be subjected to onerous reporting and compliance requirements. But it is making the case for recognising that what makes up cyber governance cannot be limited to the FTSE 350 organisations but should similarly be part of supporting SMEs’ cyber resilience efforts in the future.

FSB members have access to a free Cyber heath check and advice. Contact the FSB Legal Helpline on 0345 0727 727 if you are interested in having one done.