United Kingdom

Managing your cyber risk

Digital transformation coupled with changes to the security threat and regulatory landscape require local authorities to have a proactive strategy for managing cyber risk. Alison Goodwin, Public Sector Practice Leader at Aon, outlines some of the tools available to local authorities

Digital technology enables public sector organisations to deliver their services more efficiently and cost-effectively. But, reliance on these services and the nature of the data held means it’s essential that cyber risk is taken very seriously.

Exploiting weaknesses in cyber security is big business to the criminals. Aon’s 2020 Cyber Security Risk Report highlights a 350% increase in ransomware attacks in 2018 and predicts that global ransomware damage will hit $20bn in 2021.

Human error can also lie behind a data breach, with the results no less costly. For instance, figures from the National Cyber Security Centre show that 81% of large companies have reported a security breach, with the average cost of a breach between £600,000 and £1.15m.(1)

Whatever the cause, failure to protect personal data can also land an organisation in regulatory hot water. Last year, the Information Commissioner’s Office announced its intention to fine British Airways £183.39m under GDPR for a data breach.(2)

Given the financial and reputational risks, public sector organisations need to take a robust approach to managing their cyber security, with the following steps essential:

  • Identify your organisation’s most critical data, dependent systems and business processes and know where on the network they reside;
  • Establish a sound incident response plan and put it into practice;
  • Develop a regular cyber risk assessment programme to track remediation progress and measure against evolving threats;
  • Regularly test critical access points against cyber intrusion, especially new points of connectivity;
  • Understand what your portfolio of property and casualty insurance policies does or does not cover in relation to cyber security;
  • Stay abreast of regulation;
  • Maintain a holistic cyber security programme to include preventive, detective and reactive measures and controls.

Taking this approach will greatly enhance cyber security and help to create a proactive data protection culture but, with the risks and threats constantly evolving, it’s impossible to be completely secure. Cyber insurance is a good way to fill this gap and at Aon, we are receiving more and more enquiries from public sector organisations about the cover that is available.

Although the market is developing rapidly, as it is still early days, it can be a challenge for underwriters to understand the nature of risk within public sector organisations. This has led to instances where the premium does not fairly reflect the risk, so we are constantly working to educate insurers on cyber risk in the public sector.

Another tool – Aon’s Cyber Quotient Evaluation or CyQu for short – could also help. This is a survey, which takes around 90 minutes to complete and provides an organisation with a snapshot of their cyber maturity and exposures across eight critical control areas. This makes it easy to see the vulnerable areas and the potential cyber risks facing the organisation.

The initial result is complemented by a detailed report outlining clear, actionable remediation strategies and recommendations to help address cyber resilience and cultivate a data-driven risk management strategy.

As well as enabling a more collaborative approach to cyber security, having this insight allows more targeted risk management spend. We have also found that it can prove valuable in conversations with underwriters, helping them to understand the nature of the risk an organisation is facing.

Robust cyber risk management is essential if public sector organisations and their users are to benefit fully from digital technology. Deploying the right tools can help to reduce the risk of a cyber attack or data breach, and the fines and reputational damage that can accompany them.

For more information, contact Alison Goodwin at [email protected].

1) National Cyber Security Centre show that 81% of large companies have reported a security breach, with the average cost of a breach between £600,000 and £1.15m.

2) https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/