In the UK we spend millions of pounds every year on insurance to protect our businesses against things that may not happen. We protect against damage to our property and equipment, against theft or natural disasters, and to cover our employees. If we pay an insurance premium, someone else promises to pay, should a loss occur, so we do not always have to have enough money to cover the expenses ourselves - it gives us peace of mind.
Yet we do not protect our most valuable asset. A business's core operations depends on the electronic data and information held within its computer systems. Without access to e-mail, the network or the Internet, businesses would quickly grind to a halt: customers can be lost, stock prices can be damaged and brand integrity can be destroyed. Yet traditional insurance policies do not cover against these kinds of "cyber" risks.
Recent high-publicity security embarrassments have brought systems security to everyone's attention, yet what most businesses do not realise is that computer security is being compromised on a daily basis, more often than not by their own employees. The reason? No security system can ever be 100% secure. If a security policy is deployed and maintained effectively, and everyone in the organisation is trained properly, then it can minimise the risks. It can also help reduce any potential damage, but it does not compensate you for loss of revenue, wrongful taking of proprietary information or damage to your brand.
Board members need to start working with the IT department to understand what their risks are so that they can protect their assets.
Harry Croydon is CEO of Safeonline
They need to work together to implement a risk management strategy that does not just include risk assessment and mitigation but also transfer.
This was first published in January 2001