One of the Chancellor’s first major announcements in 2016 was the launch of the updated National Cyber Security Strategy – setting out “the government's plan to make Britain secure and resilient in cyberspace” up to 2021.
While an update of its strategy was welcome, the Government could have given more support to businesses. Within the strategy document there is no specific ‘Guiding Principle’ that points to the need for Boards to have a comprehensive understanding of their data landscape and know precisely where each version of the ‘crown jewels’ resides across the IT environment.
This approach is fundamental if organisations want to minimise the opportunity for cyber-criminals to steal any version of the sensitive datasets or IP. Businesses that haven’t mapped their data landscape accurately will find it is increasingly difficult to determine whether the countermeasures they have put in place are appropriate and proportionate to the risks they face (for example, are all versions held and transmitted securely?).
Although most organisations know what their ‘crown jewels’ are, they need guidance and support to help them discover how many versions of the sensitive datasets reside across their IT Environment: copies could exist in many databases, shared storage, mobile devices, their backup and disaster recovery environments, web environment, cloud environment, on laptops/PCs or sensitive data shared with third parties or stakeholders.
To combat the growing threat, all Boards need to provide leadership and place cyber security alongside the financial wellbeing and growth targets of the business. Equally, Boards also need access to the deeper skills and insights available, so that they have the tools required to meet this growing challenge.
The National Cyber Security Strategy outlines the need to develop our skills and capabilities for the future. Boards need to facilitate the change required, whether a comprehensive understanding of the data landscape across the IT Environment, robust technology countermeasures, or effective education of end users to minimise socially engineered attacks. A good new year’s resolution for 2017 is to commission ‘stress tests’ of the arrangements your business has in place and use the results to improve your own cyber strategy.
Read the National Cyber Security Strategy document.
If you are a non-executive director interested in cyber security, you can register to attend our cyber security oversight workshop in London on 8 March to find out what “good” risk governance looks like.
For help and advice on managing cyber security risks please contact Steve Rumble or Jason Gottschalk.
Business Edge 2017 Index