Sergey Nivens - Fotolia
Many UK firms are failing to adequately assess customers and trading partners for cyber risk, a study has revealed.
As a result of this failure, businesses are making themselves more vulnerable to cyber attacks, according to the report by insurance broker and risk management firm Marsh, which polled risk managers and chief financial officers from more than 100 large and medium-sized UK firms.
The firm’s cyber risk survey found nearly 70% of respondents do not assess the suppliers and/or customers they trade with for cyber risk.
More than half of respondents also stated their organisations have not been asked to demonstrate a competent standard of their IT security practices to their bank and/or customers to do business with them.
Stephen Wares, Marsh’s cyber risk practice leader in Europe, said more work needs to be done to consider cyber security as a business issue, as opposed to a technical problem, if organisations are to reduce the threats from cyber attacks.
“This is especially true for larger organisations, which attract highly motivated and sophisticated hackers that might identify smaller business partners that are typically less well protected as the ‘back door’ into their IT systems,” he said.
Organisations should include supply chain security as part of their strategy to reduce the risk of data breaches, an expert panel told attendees of Infosecurity Europe 2015 in London.
Information security weaknesses at suppliers have been responsible for several high-profile breaches in recent years, including malware-laced phishing emails sent via an air-conditioning supplier to US retailer Target in 2013.
Read more about supply chain security
Chris Gibson, director of the UK computer emergency response team (Cert-UK), said supply chain security is an important area of focus for an organisation aimed at supporting critical national infrastructure.
“We are very cognisant of the fact the information security of suppliers is just as important as that of providers of critical infrastructure. We work a lot of cases that are deep down in the supply chain,” said Gibson.
Incidents like the Target attack are likely to rise in frequency until organisations place greater focus on setting out the basic technical controls all suppliers/contractors should have in place, the Marsh report said.
The Marsh study also revealed that board-level ownership of cyber risk remains comparatively low, with IT departments continuing to take the main responsibility for cyber risk in 55.5% of organisations, while the board takes main responsibility in just 19.4% of organisations surveyed.
Marsh found that while 52.8% of firms surveyed have or are seeking to buy cyber insurance in the next 12 months, only 11% currently have policies in place.
Read more about cyber insurance
“Cyber risk management should be at the heart of the strategic decision-making process,” said Wares.
“Only with board-level support can companies take the big strides needed to advance their knowledge and perform the financial modelling required to judge the value of the risk transfer options available on the market,” he added.
The UK aims to become a global leader in cyber security insurance through a set of joint initiatives between the government and the insurance sector announced in March 2015.
The initiatives are designed to help firms get to grips with cyber risk, to establish cyber risk insurance as part of the firm’s cyber toolkits and to establish London as the global centre for cyber risk management.
The plan is detailed in a report published by the government and Marsh, following a meeting hosted by Marsh in November 2014 between the then-Cabinet Office minister Francis Maude and 13 major insurance firms, to discuss ways of improving how UK businesses manage cyber security risk.