The figures show that most attacks are relatively unsophisticated, so their risk can be mitigated by following basic cyber-hygiene guidance, such as those recommended by the Cyber Essentials scheme.
The scheme specifies that all critical and high vulnerabilities should be remediated within a 14-day window and the report indicates businesses are increasingly struggling with this. Saepio recommends implementing an automated SaaS patching tool, like Automox, which can considerably reduce the window that vulnerabilities remain openly exploitable, to well within 14 days.
Only 3 in 10 businesses have conducted a cyber risk assessment, and/or deployed security monitoring tools in the last year, while less than 4 in 10 are insured against adverse cyber events. Nevertheless, there is some evidence that businesses are starting to review the cyber risk of their supply chains, particularly larger enterprises.
At Saepio, we regularly conduct cyber risk assessments in line with the NCSC’s Cyber Assessment Framework. This helps organisations understand their current security ‘state-of-the-nation’ and build out sensible improvement plans aligned to risk appetite, budget, and operational capacity. We have also developed a service to manage the cyber risk of the supply chain, using both point-in-time and continuous assessments of their security posture.
Corporate reporting of cyber risk remains relatively uncommon even in larger businesses, although more people are now aware of the NCSC’s Board Toolkit.
We encourage Management Boards to incorporate cyber risk management into the wider risk management program for the organisation to effectively mitigate cyber risk. The Board Toolkit is a good place to start or for more detailed support engage a virtual CISO to help build out a cyber risk management framework.
Relatively few organisations are certified for Cyber Essentials or ISO27001 or similar, and the driving force for gaining accreditation seems to be because clients are demanding it, rather than adherence to security best practice principles per se.
Whether accredited or not, we recommend aligning to an industry standard, such as the Cyber Assessment Framework, NIST, or ISO27001 to build an Information Security Management System (ISMS). Again, a virtual CISO helps to align policies, processes and technology controls to the desired best practice framework.
Only 21% of all businesses have formal incident response plans in place. Therefore, when a cyber incident happens the majority of companies will not have specific roles and responsibilities defined, and guidance on internal and external reporting of the incident may not be clear. It is widely accepted that poor handling of a cyber incident can lead to much longer recovery times, expense and a hugely detrimental impact on reputation.
We highly recommend drawing up a Cyber Incident Response Plan and practicing for cyber incidents using tabletop exercises, allowing incident playbooks to be defined. If the worst happens, a well-oiled incident response machine will minimise the impact of a cyber-attack.
The average (mean) annual cost of cyber crime for businesses is estimated at £15,300 per victim, the top 5th percentile is significantly more!
If you’d like to talk further about any of the issues raised in this blog, then please do reach out to the Solutions Team at Saepio on contact@saepio.co.uk.