• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

How to mitigate the risk of cyber security breaches – part 1

October 09, 2023

Cyber security breaches are increasingly featuring in the news and we only get to hear about the major ones in the mainstream media.  They are a significant risk for organisations and can have devastating results for the companies and people involved.  They can result in serious financial impact, lost customers and reputational damage to companies.  Release of personal sensitive or confidential information can put people’s lives at risk as reported in the August 2023 Met Police and Northern Ireland Police data breaches.  Any data breach can cause significant user anxiety even if their individual data has not been hacked.  An affected user is likely to share their bad experiences with their friends and family or via social media which can further impact an organisations reputation.

There seems to be an increasing number of hostile actors probing for cyber security weaknesses, infecting company systems with malware and seeking to exploit stolen company and user data.  The increasing use of cloud technologies increases the potential cyber attack surface area for an organisation.  If employees are working from home, their laptop may connect to other Internet of Things (IoT) devices within their home which may be lacking in security features, thus providing potential cyber attack access points.

There is a lot that can be done to reduce the risk of cyber security breaches and improve resiliency of systems in order to minimise their affect. There are two main aspects to consider – prevention and response.  The Three Lines of Defence approach  (3LoD) is a well-established model for the management, governance and assurance for cyber security.  However, the initial line of defence to minimise risks lies with organisations’ culture and the employees. 

Organisations need to embed security within their culture and governance and ensure that all levels of the organisation understand the importance and value of security.  People are often the weakest part of an organisation’s cyber defence.  Humans make mistakes, lose things and can be tricked and manipulated.  So it is imperative that organisations ensure that their employees are an effective initial line of defence rather than a weakness.  Organisations need to embed security within their culture and governance and ensure that all levels of the organisation understand the importance and value of security.  This can be achieved through improved awareness, improved security skills, training, prompt off-boarding (to ensure disgruntled leavers are unable to cause any malicious damage to systems) and privileged user-ID management (for users with higher level of authorisation or access).  Organisations need to deploy a ‘security first’ mind-set and need to address the potential conflict between security requirements versus the pressure to get on with the job.  Employees need to be productive whilst working securely and even though this may slightly reduce productivity, the impact of dealing with a major cyber attack or data breach will be much greater.

Many employees will find security training useful for their personal life too since they need to keep their personal devices and data secure, avoid malware and viruses and be able to recognise and avoid scams.

The increase in phishing attacks will affect employees at work and home.  The main reason that they are so widespread is that they are very effective with large numbers of people falling for them.  Phishing employs a range of psychological manipulation techniques to get the person to click on a link or open an attachment that contains malicious software.  Phishing preys on people’s fears, anxieties or emotions in order to get them to lower their defences.

A good cyber security training programme should be easy to sell to employees and a quick win-win for both the organisation and the employee.  Such a programme should be frequently updated to cover the latest digital threats, identifying common security blind spots within the organisation and any actual cyber attack or security issue examples from within the organisation.  The training should include standard vocabulary, general physical and data security, different types of cyber attack, what to look out for and who to contact in the event of an issue.  Ideally the training should be interactive and include a set of relevant questions that employees need to answer correctly in order to complete the training.

Organisations need to create a safe environment where employees feel they can report cyber issues, equipment loses or data loses as soon as they happen, without fear of being penalised.  If issues are reported promptly then actions can be taken to minimise impacts.  For example, devices can be removed from networks, accounts locked or, passwords change.  If the carrot approach does not work, it may be necessary to introduce mandatory training, the completion of which can be linked to reviews and pay rises. The effectiveness of cyber security training and awareness can be tested by using test phishing emails to see how many employees click on the test cyber attack link.

Deploying a comprehensive cyber strategy including organisation culture, training, three lines of defence, disaster recovery and governance is essential to address the risk of cyber attacks.

There will be a follow-on blog post providing more information on minimising cyber risks through the deployment of the three lines of defence model (3LoD) and disaster recovery.

Jim Watson is a Management Consultant with over 30 years experience at IBM UK who is currently working as an independent member of the Audit and Risk Assurance Committee at the Department of Business and Trade

Tags: Jim Watson
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson