The global survey of IRM members, prompting the guidance, revealed:
- That while 82% of organisations surveyed had an information security programme, less than half also looked at the security practices of their supply chains
- Over 90% of organisations were allowing staff to use mobile devices for business use, but less than 40% required formal security configuration of these devices
- Nearly 40% of organisations reported using some sort of cloud based facility, however a third of these had not yet developed a security policy in respect of their use
- Of those surveyed, 20% of organisations undertook no information security training
- Access to social media varied widely with 20% of organisations indicating they operated a complete lockdown with no access permitted from any business devices to the nine per cent who had no restrictions at all
- 10% of respondents reported that at least one breach of their online systems had taken place in the last three years, with consequences ranging from regulatory fines to compensation costs, share price falls and reputational damage
Tim Gregory, UK President of IT services firm CGI who sponsored the report, said companies need to understand their potential exposures.
“Every day the media report another organisation which has been the victim of a cyber-attack. Usually it’s the loss of corporate data, intellectual property or customers’ financial details – or at worst sometimes all three. The consequences can vary from regulatory fines and reputational loss, through to the complete failure of a business and we know that cyber criminals can infiltrate an organisation’s systems for days, or even years, without being detected,” he said.
“Businesses and government need to understand where the key cyber risks exist within their organisation, how to detect them and how to protect themselves from this rising threat, at the right level of cost.”
IRM chairman Richard Anderson added that while the industries can be slow to react to major shifts in the risk landscape, it’s important measures are put in place.
“Thinking that it will never happen to you is delusional – we all need to understand the nature of the threat, identify our organisational ‘crown jewels’ and ensure that we have the appropriate measures in place to protect them,” he said.
The Cyber Risk guide aims to help organisations tackle cyber risks and outline best practices in their management. Topics covered include understanding the threat landscape, impact of cyber losses, balancing risks with opportunities, internal audit of cyber risk and supply chain issues.
It looks into the implications of cloud computing, social media, mobile devices and the essentials of secure systems.
A summary of the guide can be found here
Enterprise risk management education organisation, the Institute of Risk Management (IRM), have put together a cyber-risk guide after research showed many organisations are failing to adequately protect themselves against the risk posed by cyber criminals.