UK firms failing to assess cyber threats, study shows

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/news/4500248224/UK-firms-failing-to-assess-cyber-threats-study-shows

Many UK firms are failing to adequately assess customers and trading
partners for cyber risk, a study has revealed.

As a result of this failure, businesses are making themselves more
vulnerable to cyber attacks, according to the report by insurance broker
and risk management firm Marsh, which polled risk managers and chief
financial officers from more than 100 large and medium-sized UK firms.

The firm’s cyber risk survey found nearly 70% of respondents do not assess
the suppliers and/or customers they trade with for cyber risk.

More than half of respondents also stated their organisations have not been
asked to demonstrate a competent standard of their IT security practices to
their bank and/or customers to do business with them.

Stephen Wares, Marsh’s cyber risk practice leader in Europe, said more work
needs to be done to consider cyber security as a business issue, as opposed
to a technical problem, if organisations are to reduce the threats from
cyber attacks.

“This is especially true for larger organisations, which attract highly
motivated and sophisticated hackers that might identify smaller business
partners that are typically less well protected as the ‘back door’ into
their IT systems,” he said.

Organisations should include supply chain security as part of their
strategy to reduce the risk of data breaches, an expert panel told
attendees of Infosecurity Europe 2015 in London.

Information security weaknesses at suppliers have been responsible for
several high-profile breaches in recent years, including malware-laced
phishing emails sent via an air-conditioning supplier to US retailer Target
in 2013.

Chris Gibson, director of the UK computer emergency response team
(Cert-UK), said supply chain security is an important area of focus for an
organisation aimed at supporting critical national infrastructure.

“We are very cognisant of the fact the information security of suppliers is
just as important as that of providers of critical infrastructure. We work
a lot of cases that are deep down in the supply chain,” said Gibson.

Incidents like the Target attack are likely to rise in frequency until
organisations place greater focus on setting out the basic technical
controls all suppliers/contractors should have in place, the Marsh report
said.

The Marsh study also revealed that board-level ownership of cyber risk
remains comparatively low, with IT departments continuing to take the main
responsibility for cyber risk in 55.5% of organisations, while the board
takes main responsibility in just 19.4% of organisations surveyed.

Marsh found that while 52.8% of firms surveyed have or are seeking to buy
cyber insurance in the next 12 months, only 11% currently have policies in
place.

“Cyber risk management should be at the heart of the strategic
decision-making process,” said Wares.

“Only with board-level support can companies take the big strides needed to
advance their knowledge and perform the financial modelling required to
judge the value of the risk transfer options available on the market,” he
added.

The UK aims to become a global leader in cyber security insurance through a
set of joint initiatives between the government and the insurance sector
announced in March 2015.

The initiatives are designed to help firms get to grips with cyber risk, to
establish cyber risk insurance as part of the firm’s cyber toolkits and to
establish London as the global centre for cyber risk management.

The plan is detailed in a report published by the government and Marsh,
following a meeting hosted by Marsh in November 2014 between the
then-Cabinet Office minister Francis Maude and 13 major insurance firms, to
discuss ways of improving how UK businesses manage cyber security risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!