Published by Andrew Haldenby on 17 November 2015
- Our Work
- The Reformer Blog
28 August 2015
It would be easy to get disheartened about cyber security, that we are losing the battle. After all, you can always find a fresh story about the theft of data, or a key service temporarily out of action thanks to malicious activity. It is fair to say that cyber-attacks are growing in intensity, frequency and scale. However, while not complacent, we should be optimistic that we are on the front foot and heading in the right direction.
With a vast amount of the world’s internet traffic travelling across our network, BT has a ringside view of what is going on when it comes to cyber-attacks. In addition, we provide (and protect) much of the UK’s essential communications assets, from home broadband to the NHS network, as well as services to local authorities and police forces.
As well as safeguarding BT’s network and data, my job involves working with our biggest customers to help them get the right security in place. In general, when it comes to large companies, awareness and practice of cyber security is improving all the time. The businesses we work with at BT get the message and are proactive about protection (although smaller businesses are still catching up). In addition, the Government really understands the issues and is committed to building strong national defences.
Not an IT issue, but a management issue
Smart organisations understand that keeping data and online assets safe is a board level responsibility. Cyber security is not an IT issue, but a governance issue. At the heart of good cyber security is the understanding that this is just another business risk to manage.
Any good business has risk management processes in place and they are equally suitable for managing cyber risks. The danger comes when business people get overwhelmed by headline stories about security scares, and freeze, unable to take positive action.
There are five risk management questions that can help you to put into place effective and appropriate cyber security measures:
1. Why should we want to do something about cyber security? Look at your organisation and consider the consequences of malicious activity. What would be the impact on your ability to operate?
2. Where should we look? Decide what is genuinely important to you. What are those things without which you cannot do what you do?
3. What are we going to do? Make sure you have the basics in place. Implement a clear process that encompasses policy, execution and audit.
4. How are we going to respond? Share information with others, through national organisations such as the Cyber-security Information Sharing Partnership (CiSP). Think through ‘what if’ scenarios and plan your responses in detailed playbooks.
5. When to look? Serious thinking about ‘what if’ will help you to develop hyperawareness about when something might happen.
Finally, have confidence that you can protect your organisation. Overall, the UK’s cyber security capability is good. There is great work underway in the public and private sectors to protect British institutions and business from malevolent activity. Leaders should not be afraid to take responsibility for managing the risks.
Click here for a more in depth look at the five steps to cyber security.
Mark Hughes, President, BT Security