John Barradell, chief executive, City of London Corporation, highlights three aspects of cyber risk and how they can be managed
Cyber attacks and online data theft are a daily reality for organisations across the UK. Most local authorities now experience multiple cyber attacks every month. Cyber infrastructure is a vital and flexible tool for storing and collating data as part of our work providing services to our local communities.
But the very openness and flexibility of this tool can leave us vulnerable to attacks, compromising or harming our organisations with potentially profound reverberations for our communities.
There are three important, inter-linked aspects of the cyber risk. First, the risk is systemic, i.e it affects every part of an organisation as we increasingly rely on cyber infrastructure to deliver services. Second, the risk is unconstrained by geography or sector – it is pervasive. Third, the risk is often invisible; experts say that cyber attacks are increasingly going undetected.
This is why local authority leaders need to put cyber awareness at the heart of their work to make their organisations resilient.
What can leaders do to tackle this threat? In my view, a good place to start is to understand what ‘cyber’ really means in an organisational context. The term is often daunting to people and needs to be explained to non-technical colleagues - that it is short-hand for the use of technology to access information.
Moreover, cyber needs to be understood not just as an IT issue but as a form of risk management which should be embedded across all business plans and at all levels of the organisation. This means that appropriate governance structures need to be created to oversee and monitor risk mitigation programmes.
Training and awareness
There should also be regular training in and awareness-raising of cyber issues so that senior managers can remain up-to-speed on the overall risk picture and better understand risk mitigation. Information sharing partnerships such as CiSP are a useful way to seek advice, gain awareness of the current risks and learn from the experiences of others.
Part of the solution here has to be a shared analysis of how the cyber risk manifests itself. The City Corporation has worked with Deloitte to identify a few of these. Firstly, multiple system issues – ranging from slowdown, to part closure, to total failure. Secondly, regulatory and legal issues – failure to comply with regulatory requirements may lead to fines, while the spillage of private data could compromise long-term relations with key stakeholders. Thirdly, costs – the potential financial impacts of remedying problems such as data corruption might hinder service delivery or compromise supply chains.
The City’s work with Deloitte demonstrated that these risks can be mitigated in various ways. This includes sharing sector-specific best practice, implementing trusted supplier mechanisms, creating well-resourced contingency infrastructure, eliminating single points of failure within systems, minimising insider threats through acceptable use policies, and regular stress-testing and table-top exercises.
The cyber threat now forms an indelible but invisible part of our working lives; understanding this threat must now form part of every leaders’ toolkit. After all, when it comes to cyber risk an organisation is only as strong as its weakest link.
This article was first published in Local Leadership in a Cyber Society: Understanding the Challenges by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.