Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…
This week: Phishing remains the biggest threat to businesses, the board is having the wrong conversations about cybersecurity, and navigating the content of the DORA regulation just got easier.
3 – UK Government’s survey shows phishing attacks are still the biggest threat
33% of the businesses surveyed by the UK government said they experienced a cybersecurity breach or attack in 2022, with 79% of businesses reporting that phishing remains their biggest threat.
These statistics are included in the UK government’s annual cyber security breaches survey, and recently reported in Tech Republic. The survey is based on phone and online interviews with over 2,000 UK businesses.
These survey results remind us that most attacks involve someone being fooled by a phishing e-mail / message.
2 – Boards are having the wrong conversations about cyber security
In a typical board presentation about cybersecurity, the focus tends to be on the actions / technologies being used to protect the organisation from a cyber attack. Instead the conversation needs to focus on resilience. We should assume that our organisation will be attacked so our primary focus should be on how the organisation “will respond and recover [from the attack] with minimal damage, cost, and reputational damage”.
This is according to an article in the Harvard Business Review, and recently mentioned by Secure The Village. The article goes on to discuss how board members continue to believe cyber security is primarily a technical issue, rather than recognising that it is an organisational risk issue. For example, “only 67% of board members believe human error is their biggest cyber vulnerability, even though findings of the World Economic Forum indicate that human error accounts for 95% of cyber security incidents”. “When the board perceives it to be a technical issue, [t]hey may shy away from asking difficult questions because they feel they are not knowledgeable enough about technical concepts to ask good questions. Viewing cyber security as an organisational issue changes the discussion from a technical to a management challenge and therefore becomes relevant for board level discussion.”
1 – It just became easier to read the DORA regulation
The DORA (The Digital Operational Resilience Act) Regulation will apply from January 2025, and as the name suggests, it focuses on the organisational resilience recommended in the HBR article. If you will be involved in your firm’s efforts to comply with the regulation, I have just found a way to save you hours per week: HTTPS://DORA-INFO.EU provides the full text of the regulation, in hyperlinked and searchable form.
The site has been developed by Springflod, a boutique consultancy firm based in Sweden, specialising in cyber security within the banking and financial services sector. Springflod offers professional services concerning secure development using devops, and information security governance, risk and compliance. (I am more than happy to promote Springflod here, as I know this site will save me and my clients a lot of time and frustration over the next couple of years.)