Leading the way: why cyber risk management starts at the top
Given the escalating cyber threat landscape, and the significant ramifications of cyber incidents on practice operations, reputation, and financial stability, cyber risk management must be a critical senior leadership responsibility.
A ransomware attack can bring an architect's practice to an abrupt halt and in some instances close it down. It is no surprise that so many victims feel forced into paying the ransom demand when so much is at stake. Obvious high-risk sectors include professional services such as law firms, architects practices, accountants, financial services businesses, and any firm handling confidential data and transactional work. But the healthcare sector, factories, car dealerships, retailers and so many others are at operational risk too.
All senior business leaders have a responsibility to manage their cyber risk to safeguard sensitive information, maintain operational continuity, and protect stakeholder interests. Leaving cyber risk management to their IT support simply does not cut it. Proper cyber risk management is a sophisticated, stand alone discipline, covering so much more than just technology. It requires a comprehensive programme, with formal risk assessments, policies and procedures, and staff training.
Effective cyber governance should include securing independent assurance from a cyber security specialist, who assesses and provides visibility of your cyber risks, determines the measures appropriate to control those risks, and gives you ongoing assurance that the controls you have in place continue to be effective.
There are two key aspects:
Independence – because having IT mark their own homework is a non-starter when it comes to good risk management.
Expertise – because cyber security is complex and ever-changing, you need a specialist who understands your business structure and the current methods of attack, as well as your legal and any regulatory obligations.
Cyber breaches do not result from bad luck. A serious breach means that someone at the most senior level has failed to understand what was required to protect their architectural practice and has not done their job properly. And if you haven’t yet assigned responsibility to someone at board level, you really are lagging behind.
RIBA has partnered with Mitigo Cyber Security to offer technical security services. For more information contact Mitigo on 0161 88 33 507 or email: riba@mitigogroup.com.