Managing cybercrime risks is becoming a boardroom agenda item for organisations in every sector of the economy. Two-thirds of businesses suffered a cybercrime incident last year. It is estimated that the average cost to resolve an incident is £358,956 and the process takes 31 days. Worryingly, only 10% of breached companies have a cybersecurity incident plan in place.
At FPM, a challenge we see is that business leaders lack the skills to manage cyber risks effectively. While owners and managers generally have a good grasp of their internal networks and websites, they are often less aware of other technology-related risks. Controls around mobile phones, portable media, guest Wi-Fi, and the Internet of Things, for example, are often weaker than controls in other areas and can expose a business to threats such as ransomware.
Businesses also need to be alert to crimes that target their employees. We have seen instances of businesses suffering financial loss through phishing, fraudulent email instructions that purport to come from an organisation’s CEO, and so on. Poor control environments create opportunities for crime and expose organisations to financial and reputational risks.
Getting to grips with managing cybercrime risks
To get to grips with managing these risks, FPM recommends that you examine the measures your business currently has in place. There may be simple steps that you can take to enhance security, such as:
- Changing where you store paper files
- Limiting Wi-Fi access for guests
- Locking screens when away from desks
Protecting data is critically important. We estimate that around 90 percent of businesses will need to make changes to their data management policies and procedures this year in order to comply with new EU legislation. As of May 2018, you could be fined 4 percent of your annual turnover if you don’t have the right measures in place.
From a governance perspective, detection, investigation and communication policies and procedures should all form part of your strategy for managing cyber crime risks. While no business is immune from cyber attack, effective policies and procedures will minimise the impact.