IMPORTANT Website terms of use and cookie statement
close

Why cyber risk management is not the same as IT support

Cybercrime is increasingly sophisticated, and methods of attack constantly evolve. Modern architectural practices rely heavily on digital design applications and as such can be a prime target. All cyber-attacks pose a serious risk to business operations, data, system security, client relationships and business reputation. Data security should be at the top of any practice’s risk register. Which is why every business must adopt appropriate cyber risk management systems and ensure they cover their IT functions.

Our partner Mitigo shared the main questions which may help your practice stay safe from attacks.

Do you currently have a current cybersecurity vulnerability risk assessment?

This is now a legal requirement under the Data Protection Act 2018, and it is the essential first step towards security. It should be undertaken periodically by someone with cyber risk management experience. They should know the current methods of entry and forms of attack against practices or businesses similar to yours, such as ransomware and email account takeover. It will provide you with an assessment of your business’s vulnerabilities. It must of course include scanning and probing for vulnerabilities in your technology and its current configuration. It must also include assessing the risks associated with people and the way they use the technology; your systems of work; your interaction with clients and suppliers; the platforms the practice rely upon; and so much more.

Who is configuring the security of practice?

The vulnerability assessment will provide visibility of risk. A cybersecurity expert can now determine how to configure your technology appropriately. This is a specialist job - configuration must provide protection against attacks without interfering with daily functionality. Firewalls, anti-virus, email set up, logins to cloud platforms, personal devices, remote connections, backups, access rights, user privileges, logs, detection alerts, are just some of the long list of areas requiring attention. Equally important, is advice on the other organisational controls and governance necessary to protect you against risks identified.

Are you meeting legal and professional requirements?

You must be sure that your security adviser really know how to keep your business compliant and to take appropriate technical and organisational measures for the security of data, and to review their effectiveness on an ongoing basis. And do they know your professional obligations? Are they satisfying all your business obligations?

Are you providing cybersecurity awareness training to staff?

This is about making all staff aware of the type of dangers which exist, including the tricks being used to gain access to credentials, your systems, data and finances. Some estimates reckon that over 60% of breaches are caused by staff error. Regular training is a crucial aspect of a firms’ defense’s. It is also now a legal obligation. Every business should test that the training is working, by simulating attacks. Mitigo frequently found that before training, over 25% of staff will click on phishing emails, but that figure reduces to under 5% after training.

Have you got the right policies and procedures in place and are they up to date?

The systems are most secure when people know how to use them safely. Defining and communicating policies and procedures will help prevent or mitigate security incidents. As well as being another legal obligation, policies protect your business, your staff and your clients. It is recommended that you provide and have employees agree and sign for a cybersecurity staff handbook or policy as part of their training, so that everyone knows the rules and what is expected of them.

Are you paying for security software which may not be solving your security problems?

Buying additional software will rarely solve your security problems. It just creates a false sense of security. Worse still, we find many practices have been persuaded to purchase a patchwork of expensive security software and ad hoc deployments with overlapping functionality. In most cases, their existing technology had perfectly good protection built in, if only it were correctly configured (and in some cases, simply switched on).

Are you getting support to complete security questionnaires and assess your own supply chain?

Practices are increasingly being asked to satisfy clients and others about their security arrangements. Your security professional should be able to take care of this. They should also be advising on common questions and responses for those with whom you share systems and data.

Who is providing your business and employees with ongoing assurance that all security controls remain both appropriate and effective?

It is a basic principle of risk management that assurance be provided by someone independent. It is neither sensible nor fair to expect your IT people to be cybersecurity experts or to mark their own homework. Nor will their professional indemnity insurers when a breach occurs.

Just like a vulnerability assessment, assurance is not a one-off spot check. Over time, technologies will change, as will the threats, forms of attack and methods of extortion. So, testing and auditing security configuration and controls should be undertaken on a regular basis to ensure that defense’s are kept up to standard and the business continues to be protected. Again, checking the effectiveness of the security measures on an ongoing basis and recording this in writing, is now a legal obligation.

For more information, please email our partner Mitigo at: riba@mitigogroup.com.

keyboard_arrow_up To top
Cookie statement | Privacy policy | Terms of use
66 Portland Place, London, W1B 1AD | +44(0)20 7307 5355 | support@riba.org | Registered Charity No. 210 566. Incorporated by Royal Charter No. RC000484 | © RIBA 2024