As advances in digital technologies continue to transform business infrastructure and service delivery, there are exciting opportunities for innovation and growth. But with change comes challenge, and the increased demands on physical and virtual connectivity can leave many businesses exposed to risk.
Research from Gowling WLG's Digital Risk Calculator highlights that UK businesses are less aware of digital risks than their European counterparts. Of those identified across all countries surveyed, 69% revealed cyber risks to be their biggest area of concern. The second proved to be risks related to the security of highly sensitive/valuable data (55%). Both are issues that could adversely impact the infrastructure assets and networks of a business, as well as bring financial and reputational costs.
Infrastructure risks also scored highly in their own right, with more than a third of those surveyed (36%) considering it a concern. But when we talk of infrastructure, it's not only the fixed networks and assets we are referring to here. More broadly, it also applies to the associated data and information that this can reveal.
The question for small and medium-sized enterprises (SME's) is how well-equipped are they to operate in this fast-changing environment and stay resilient to digital threats?
Future-proofing your infrastructure networks
The first step to future-proofing your business is about becoming 'risk conscious' and understanding where there are potential stress points. Ideally any risk review needs to analyse not only how your business is operating now but also how it is likely to evolve in the short to medium term. Based on this insight a forward plan can then be put in place, which addresses a number of priorities:
Review and/or refresh existing policies, procedures, checklists and systems.
Despite the identification of data risks in our survey, for example, only 52% of UK businesses confirmed they carry out regular data back-ups, compared to 66% in Germany and 67% in France. In addition, only 32% of UK businesses and 39% of businesses in Germany use off-site storage for sensitive data, compared to 50% of those in France.
Putting a robust, secure digital infrastructure in place will help to address these types of risks and provide resilience in the face of any threats. At the same time, it also offers wider advantages: ensuring data is turned into actionable information; generating efficiencies in handling large volumes of data; addressing network and connection problems; and implementing governance around digital activity.
Monitor and respond to evolving regulation and guidance in this area
Notable wide ranging external cyber-attacks such as the Wannacry and Petya hacks reinforce the real and immediate threat of cyber-crime to all organisations and businesses. This is reinforced by findings in the recent British Chamber of Commerce Digital Economy Survey and the Department for Culture Media & Sport (DCMS) Cyber Security Breaches Survey. Here, a key headline is that one in five businesses has been a victim of cyber-crime in the past year.
Prevention is the key to ensuring a business and its reputation is well protected. Taking steps to ensure all departments are briefed on the importance of customer security will help to ensure a unified approach. It is also important to stay on top of the latest developments in encryption methods, limit those who have access to customer data, establish clear policies around notification of lost/stolen devices, and create several layers of online security.
Underlying all this is the need to comply with the law. Those who are found lacking will expose themselves to potential regulatory fines and civil claims for damages and even potential criminal sanctions, as well as the associated business costs in time, profit, and reputation.
The General Data Protection Regulation (GDPR) which came into force in the UK in May 2018 highlights the constantly changing legislative environment. GDPR directly impacts the way personal data is stored and processed, and creates an environment in which greater transparency on how data is protected and stored is required. In preparation, businesses should have reviewed their data storage processes and policies, carried out risk assessments, scenario plan and develop appropriate controls.
Embed a security-minded approach to infrastructure delivery, operation and management
The importance of becoming 'risk conscious' cannot be underestimated. In a world where security threats and vulnerabilities are ever-changing, business owners and staff need to remain vigilant. Finding ways to create a security-minded culture within an organisation will pay dividends and help build resilience within an organisation's infrastructure. This demands clear leadership and understanding of the practical implications of failure.
If we recognise that the most common types of breaches can be linked to human factors - such as unwittingly clicking on a malicious link - then investing in staff awareness and training becomes a priority. As more people have access to greater amounts of data, there is a greater risk of accidental or inappropriate information sharing. This is particularly true in certain core sectors of the economy such as energy and transport, where the management of major infrastructure projects can involve large supply chains.
The introduction of the National Information Security Rules (NIS) in May 2018, alongside GDPR acts to further tighten up standards in this area. Its aim is to increase the overall level of cyber security in the EU.
Engage senior management
According to the DCMS Cyber Security Breaches Survey, 74% of UK businesses identify cyber security as a high priority for their senior management. It demonstrates that where the leadership of a business is engaged, then the issues of information security and infrastructure risks are given greater focus and investment. This in turn drips down through the organisational culture and helps to ensure a pro-active approach to managing digital risks.
Consider cyber security risks outside the business.
While many businesses may have concerns about suppliers' cyber security, our Digital Risk survey data also suggests that too few do anything about it.
When consumers buy into a product or service they are often engaging with a large network of organisations as part of a complex supply chain - not just a single provider. At the same time, they are also more commercially savvy and will think with their feet should a provider's reputation for data security be adversely impacted. Hence it's important that all component parts of the supply chain adhere to the same processes, strategies and standards when it comes to managing digital risk.
At the point of contracting with new suppliers and expanding your supply chain, insist they adhere to specific cyber security standards or codes of good practice. Doing so will demonstrate reliability to their business clients and an understanding of the need to protect their client's interests. Existing suppliers should be regularly audited to ensure ongoing compliance.
Bringing your strategy to life
The priorities we have covered here all form part of any effective digital risk strategy and will help to ensure your infrastructure is resilient to digital risks. But while points of compliance remain standard, the detail of the type of risks each business faces and how it needs to respond will differ. Those that respond to the challenges successfully are where issues such as cyber-security are prioritised right at the top, and where the whole organisation brings their chosen strategy to life.
For more guidance, visit our earlier insights on understanding your digital risks and implementing the Cyber Security Directive. The National Cyber Security Centre has also outlined practical steps organisations can take to improve their cyber security with its '10 steps to cyber security guidance'.
Another, helpful source is our Digital Risk Calculator. Take a look to identify your business' top five digital risks, and calculate your overall digital risk rating. This new free tool allows small and medium-sized businesses to better understand their digital risks and compare these to other businesses and industries.