Cyber risk: are you properly tested?

Cyber breaches are not acts of God. They are preventable, provided you have taken the right steps to protect your firm from attack. The central theme
of this article is that the only way to prove to yourself and your senior leadership team that you have put the right defences in place, is to obtain independent assurance. 

What is assurance?

Assurance is the process by which you require an independent expert to give a professional opinion on a subject – in this case your cybersecurity measures. Because information that is business critical needs to be reliable. 

There are two key aspects. 

• Independence. The more independent the review, the more confidence you can have in it. Having your IT providers mark their own homework is simply a non-starter in terms of good risk management. 
• Expertise. Cybersecurity is complex and ever-changing. Whoever you instruct must be a cybersecurity specialist (not an IT generalist), who understands your firm’s business structure and the legal market in which you operate, and is acutely aware of the current methods of attack, as well as your legal and regulatory obligations. 

It is important to be clear that we are not talking here about certifications such as CE and CE+. They cover no more than five of what the ICO describe as “basic” technical requirements and do not provide proper security, nor does either satisfy legal obligations for the security of personal data.

What does it look like?

Your assurance should be in writing and intelligible to those who are not experts in cyber risk management, including those responsible at board level for managing the big risks in your business. The work should be carried out carefully using a high quality, reliable process, designed for your sector. Doing some defined scope penetration testing is not good enough. The assurance should provide you with a proper cyber risk assessment, clear visibility on your cyber vulnerabilities and risks, and specify the means to control them. This includes all necessary measures as regards technology configurations, people competence, and policies and governance. It should also address the process for regularly reviewing and testing the effectiveness of these measures. 

Why do you need it?

• Peace of mind that you are protected. The process will identify gaps and allow you to close them – and enable you to build trust in your regime for controlling cyber risks.
• Keep your proprietary and client data safe and become operationally resilient to attack. The disastrous consequences of a ransomware or other cyber breach are well known.
• Satisfy your legal and regulatory obligations. Cyber risk assessments, technology configurations, governance, staff training, ongoing reviews (all of which need to be documented) are just some of your legal obligations under UK GDPR which the ICO would look at in the event of a breach. Law Society of Scotland regulatory obligations as regards confidentiality, good practice information issued by ICO, safeguarding client monies and cashroom management, and cashroom supervision of staff and systems etc, add another layer. And bear in mind that the ICO has made it clear that it will have regard to “relevant industry standards of good practice” such as the ISO 27001 series, the National Institutes of Standards and Technology, and the various guidance from the ICO itself, from the National Cyber Security Centre and from the Law Society of Scotland. 
• Better management decisions. Spending ever more money on technology is rarely the way to get protection. We see lots of firms being given poor advice and wasting money after being persuaded to buy technology solutions which they do not actually need, which are incorrectly configured, and which do not give them the protection they expected.
• Shows your clients and other parties that you have cyber risks under control. Clients, colleagues and other third parties are increasingly aware of the risks of cyberattacks and the serious damage they can inflict on their own affairs or businesses. Your security matters to them.
• Insurance. Evidence of good assurance in this area will help characterise your business as well managed and a better risk in the eyes of professional indemnity (and cyber) underwriters.

Questions to ask before you appoint someone to undertake your assurance

• Are they genuinely independent from your IT providers?
• Are they cybersecurity specialists with a high quality process for assessing and testing cybersecurity risks?
• Do they operate within the legal sector and are they up to date with the latest methods of attack? 
• Do they know your legal and regulatory obligations and related guidance? 
• Do they also sell any security technology which could give them a conflicting financial interest in their recommendations?

Conclusion

A serious cyber breach is hard to recover from and can result in irreparable business damage. With the stakes this high, surely it is time to stop hoping you are secure and start proving you are secure?