Navigating Cyber Risk: A C-Suite Perspective

What is the pivotal factor transforming the way organisations operate, drive efficiency, and propel substantial growth? The answer is Technology, but…  

As with all major transformations, this comes with its own risks. The Chartered Governance Institute UK and Ireland reported this year that 74% of boards believe their exposure to cyber risk will increase.  

What is Cyber Risk?  

Cyber risk is the potential for loss or damage resulting from a cyber attack or data breach. It encompasses the likelihood of a cyber event occurring and the potential consequences, including financial loss, reputational damage, and operational disruption. 

Bolstering Your Cyber Security Defences 

Cyber security is a complex area even for the most experienced individuals, filled with complicated acronyms, a constantly changing threat environment, and costly technology. Over the last decade, we have seen a shift with individuals in C-suite roles taking more interest in cyber security. In fact, three-quarters of businesses (75%) report that cyber security is a high priority for board members.   

One of the reasons for this shift is that senior level executives can be held responsible for cyber security failures and in some extreme cases, can even be criminally charged. Two unprecedented examples of this are Uber’s Chief Security Officer, Joseph Sullivan, who covered up a data breach in 2016 and SolarWind’s CISO, Timothy Brown, for fraud and internal failures after the 2020 supply chain attack.  

While most of the charges against Timothy were dropped, the case highlighted a significant issue with cyber security: a lack of clear accountability and regulation. Unlike other departments where certifications, audits, and controls provide transparency and oversight, cyber security lacks standardised and mandatory checks. This makes it challenging for boards because not only do they not have the technical expertise but quantifying the risks can be difficult. 

Whilst governments around the world, businesses and the cyber security community have these conversations, there are actionable steps boards should put in place internally to minimise the risk and effects of attacks.  

2024 Cyber Security Statistics 

The first step is to fully grasp the gravity of cyber risk on an organisation.  To help, here are ten statistics from the UK Government’s Cyber security breaches survey 2024:  

• Overall, three in ten businesses have board members or trustees taking explicit responsibility for cyber security as part of their job. 

• 62% of medium and only 54% of large businesses reported being insured against cyber security risks.   

• Though, one-fifth of businesses do not know if they have any form of cyber insurance, despite being carried out by the individual most responsible for cyber security. 

• 58% of medium businesses and 66% of large businesses have a formal cyber security strategy in place 

• 74% of large and 70% of medium businesses identified a breach/attack in the last 12 months. 

• Overall, only 31% of businesses stated they had undertaken a cyber security risk assessments in the last year.  

• Less than half of large businesses (48%) review their immediate supply chain and only 28% of medium businesses conduct an assessment.  

• An implausible amount of businesses are assessing their wider supply chain at only 6%.   

• Leading the way, 73% of large businesses have a formal incident response plan in place, compared to 55% of medium-sized businesses.  

• Whilst 33% of all businesses have a formal policy covering cyber security risks in place, only 44% of those have reviewed these policies within the last six months.  

Reduce Cyber Risk 

The statistics above are based on recent data, giving you a good understanding of the threat landscape today. With some trends around cyber risks being made apparent and highlighting areas that boards should be considering, for example, assessing risks caused by your supply chain. We have seen organisations handle this in different ways, for example, banks operating in the UK and the Government released a joint statement earlier this year stating that Cyber Essentials will play a vital role in their supply chain risk management processes. 

Another example of an important consideration is a robust incident response plan.  This will set out the exact steps that should be taken after an incident, information about cyber insurance and what roles and actions individuals have in the aftermath. 

So in summary, technology has played a significant role in organisational transformation and because of this and the ever-evolving threat landscape, cyber security must be reviewed on a regular basis. A risk now, may not be a risk in a years’ time and a risk in a year’s time might not even exist now. 

Understand and Manage Cyber Risks With vSOC Assure 

As many organisations are turning to Cyber Essentials, there are other schemes and controls available to help dramatically reduce cyber risks. At Data Connect, we’ve carefully assessed various frameworks to identify what is the most effective for organisations. Drawing from the renowned CIS Controls, our vSOC Assure service is designed to help organisations understand and strengthen their cyber security posture.  

We can navigate your organisation’s cyber risk, pinpointing your current risk exposure and how to overcome these security gaps with a strategic plan. A Data Connect CISO will develop a customised strategy that aligns with your business objectives without the complex technical jargon, bridging the gap between technical and business needs.  

To hear more about vSOC Assure, get in touch with the Data Connect team.