The FCA’s goal is very similar to our own, in that we aim to help firms become more resilient to cyber attacks. The UK consumers need to be protected and our economy’s integrity should be upheld. ‘Firms of all sizes need to develop a ‘security culture’, from the board down to every employee.’ (https://www.fca.org.uk/firms/cyber-resilience)
Cyber security is a shared responsibility for everyone in the UK and the FCA have recognised that we all have to do our bit to ensure we continue to fight the cyber criminals.
It is essential that all companies have governance of their technology systems. In March 2019 the FCA released Cyber security guidelines that companies need to know about..
However, there are still many organisations that are putting this important issue very low down their priority list.
Whilst there is no one-size fits all solution, individual businesses must ‘establish the security risk-management roles and decision-making processes that work for them’. It is essential that the approach taken is top-down, with senior leaders championing the importance of this to demonstrate to all staff the importance of doing due-diligence when considering their cyber security.
To do this you could:
Ensure that Cyber risk is on the agenda for executive/board meetings. Train and educate executives. Gather high-quality business intelligence in easy to read formats. Adopt simple, plain language when discussing the potential cyber issues. Recruit champions throughout the organisation who can work together to spread the message. Do some research into who could be targeting your business, why and how they might go about it. When risks have been highlighted use metrics to work out what needs to be the priority to mitigate first and put an annual plan together. There are a number of practices that you need to follow in order to be cyber safe and follow FCA guidelines. To simplify them, here are the 6 basic steps you need to take:
Identify what you need to protect – you need to keep track of your data & IT systems. Protect your assets appropriately – Invest and train. Use good detection/prevention systems – whilst detection of threats is important, don’t just simply detect when you are attacked, try to prevent it in the first place. Be aware of emerging threats and issues – Learn from others, news, forums, groups etc. Be ready to respond and recover – You will be attacked at some point, that is a certainty. Ensure you have plans to get you back up and running so that it doesn’t cripple you. Test and refine your defences – regularly test all of your mitigations. Society now has a continuous roll-out of new tech which we use daily, sometimes adding a new tech can affect your systems in unexpected ways. You must regularly check to see that you are still safe. If this seems like quite a large undertaking to work on independently, then consider working towards an accreditation like the governments Cyber Essentials Scheme (https://www.cyberessentials.ncsc.gov.uk/) or IASMEs governance standard (https://iasme.co.uk/the-iasme-standard/).
There are cyber security consultants throughout the country, like us, who can work with you and advise you against these guidelines and help to give you the most cost-effective ways to put solutions in place to ensure that your risk profile is significantly diminished.
By gaining such an accreditation, not only does it give you a fancy badge to put on your website and impress your customers/partners, they provide you with a clear list of criteria created by the country’s leading cyber security experts. This gives you a well-defined framework rather than having to try and guess which, from the numerous different products and services, is going to be true value for money.