Written by Nick Driver
Posted on 20/10/2014

UK cyber risk management: what’s changing and what it means

68 reads

The increasingly digitised business world means the threat of cyber-attacks is constant for firms of all sizes, and the damage caused can be significant if not managed appropriately. This is particularly true for businesses with responsibility for national infrastructure. A new directive could mean changes to their cyber risk management strategy are needed.


A new directive for greater protection

At present, there is no single law on cyber-security that governs all industries; instead businesses must deal with a wide range of legal requirements and regulations. Full compliance is therefore no easy task. The 1998 Data Protection Act demands that firms take necessary measures to protect any personal data they hold, those who fail to meet the law face a financial penalty of up to £500,000.

However, the European Commission issued a draft of a new cyber-security directive in 2013, which will have repercussions for certain businesses if passed. Providers of services relating to critical national infrastructure, such as transport, energy and financial services, would be required to implement technical and organisational processes to manage the cyber-security risks their networks and systems face. Any breaches would need to be reported to the relevant regulator and these requirements could come into effect in mid-2016.

What can all firms learn?

While the European Commission’s directive will not impact all organisations, it does highlight a growing need for vigilance. PricewaterhouseCooper’s 2014 Information Security Breaches Survey found that although the instances of security breaches dropped between 2013 and 2014, the cost increased notably. It also found that 70 percent of companies with poorly understood security policies had staff-related breaches, in comparison to 41 percent of those with a strong understanding. Drawing up and implementing clear procedures across your firm while ensuring they are followed strictly is therefore vital to mitigating risk and safeguarding against attacks and fraud. 

How your firm can protect itself

Protecting your company from cyber-attacks goes beyond robust internal procedures, although an audit of these practices is important to avoid complacency. Third-party organisations along your supply chain also pose a risk as they are likely to hold data on you that could be exploited. Due diligence must be performed before agreeing to work with another business and throughout the relationship, to make sure they are adequately protecting their data systems.   

For a safety net should you be the victim of an attack, consider cyber insurance. Such policies not only cover you for financial losses as a result of an attack, they also prompt you to strengthen your risk management approach as insurers will demand a certain level of protection. 

Cyber-attacks can strike suddenly and require a lot of effort to resolve, which is why preventing them from occurring is just as important as being prepared to deal with the effects. With thorough risk management, you can achieve both.


Do you want to know more about various different methods that fraudsters use to pass into the heart of an organisation and how to protect your business against this growing issue? Go directly to our download center and download the eBook for free!

Download the eBook