As the number and sophistication of cyber incidents increases, senior managers are under growing scrutiny to provide evidence showing how their businesses are protected.
According to the latest Cyber Security Breaches Survey from the Department for Digital, Media, Culture and Sport, two-thirds (65%) of medium to large businesses identified at least one breach or cyber attack in the last 12 months. It is therefore no wonder that nine in ten (89%) directors or senior managers say that cyber security is a high priority.
But too often cyber security is managed solely by IT departments, which makes it difficult to join up the overall governance of digital services. Cyber risks affect wider operations and should be included and addressed by the governance and management processes across the organisation.
The risk can no longer be delegated away from the governing body, and the executive management are more accountable than ever for cyber resilience and the costs incurred by cyber crime. Being able to produce evidence of appropriate action taken to protect the business will be key in meeting the expectations of an organisation's stakeholders and regulators.
The recently introduced British Standard 31111 was developed by the BSI Risk Management Committee to help top executives better understand and manage the cyber risks to their organisations. Assessment against this standard is a new service offered by Jisc’s cyber security team, which carried out one of the first high-level applications of this standard at CERN, the European Organization for Nuclear Research in Switzerland.
Can your organisation meet the BS 31111 cyber security standard?
You’ll be well on the way if you can comprehensively answer the following four questions:
- What are your levels of cyber risk and what are the levels of investment to mitigate them for each department?
- What is the level of prevention and response capability available to manage a cyber incident?
- How does your organisation manage and understand change across the cyber landscape?
- What resources (eg financial, human, information, technology) are needed to meet the principles and objectives defined in your cyber risk management and resilience policy?