Don’t ignore cyber threats

According to new research conducted by the Department for Business, Innovation & Skills (BIS) with MI5 and GCHQ – only 14 per cent of directors responsible for audit at the FTSE 350 firms regularly consider cyber threats, with a significant number receiving no intelligence at all about cyber criminals.

  • Tuesday, 3rd December 2013 Posted 11 years ago in by Phil Alsop

ICT “Company of the Year” Espion, which specialises in information risk management, believes this research should serve as a wakeup call to those charged with governance and compliance to apply the same rules to information risk that are in place for other forms of corporate risk.
Espion’s Head of Consultancy, Stephen O’Boyle (B.Sc, CISA, CISSP, CISM) says: “Whether attacks from data thieves, spies or saboteurs who steal from, gain unfair advantage over or damage companies, the cyber crime threat facing UK organisations is increasing.


It is worrying to see a mere 17 per cent of these organisations have clearly set out what they see as an acceptable level of cyber risk. How an organisation manages information risk can be a key factor in its ultimate success or failure and cyber security must feature higher on the corporate agenda.”


The impact of cyber crime on a company’s reputation, share price or even existence is well documented. Espion has produced ten questions board members should ask of management to support existing strategic level discussions on cyber crime.
1. Do we have a dedicated resource responsible for information security? Who is involved in the governance of information security?
2. Have we identified our key information assets, where they exist within our enterprise or partner ecosystem?
3. Do we know how vulnerable they are to attack?
4. Do we perform a risk assessment of cyber threats against key systems identified?
5. Do we have a set of controls to protect our critical information (financially sensitive data, IP and client information) against industrial espionage, extortion, customer data loss, fiscal fraud?
6. Do we have an assurance that the controls in place are effective?
7. Do we have a security strategy in place for social media, mobile devices, cloud computing and employee use of personal devices (BYOD)?
8. Do we ensure that secure off-site backups of key data exist?
9. Do we have formal information security policies and awareness programmes in place to ensure they are understood by the entire workforce?
10. How many security incidents have we had in our organisation in the past 12 months and do we receive regular reports / intelligence on such incidents including methods and motivation?