Cyber security for business

Cyber security risk management

Guide

Cyber security is the practice of protecting your computer systems and networks from attacks. It relies on different methods to reduce the risks of attacks, and protect organisations from unauthorised exploitation of their computer systems.

Managing risks is a critical component of your business' cyber security. If your systems, networks and devices are vulnerable, the services and operations of your business, and even your customers, may be at risk.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business that potentially results from:

  • your online activity
  • online trading
  • failure of your IT systems and networks (regardless of the cause)
  • storage of personal data on IT systems and networks

Cyber risk can affect any organisation that relies on digital networks, technology or information. See what is IT risk.

Cyber risk assessment

Cyber risk assessment involves the identification, analysis and evaluation of cyber risks. As part of the assessment, you should look at your entire IT infrastructure and try to identify possible threats arising from:

  • people, processes and technologies
  • vulnerabilities within your systems

You should also look at threats posed by the different types of cyber security attacks.

How to assess cyber risk?

When assessing cyber risks, it is often useful to focus on the most serious threats based on the likelihood and the cost/impact of them occurring. This is a common IT risk assessment methodology.

The National Cyber Security Centre (NCSC) offers a free online tool called 'Exercise in a Box' which can help you understand how resilient you are to cyber attacks and practise your response in a safe environment.

You can also use the NCSC's free Check your cyber security service to perform a range of simple online checks to identify common vulnerabilities in your public-facing IT.

Cyber risk management

Cyber risk management consists of several key processes, including:

  • risk analysis - understand the specific threats to your business
  • risk strategy - determine the processes and controls your business needs
  • implementation of risk solutions - deploy the necessary cyber security measures
  • risk training - educate staff about their role in managing cyber risks
  • monitoring - review and test the effectiveness of your security measures
  • risk transfer - consider insuring against cyber risks and plan for contingency

Following these established IT risk management processes will help you build resilience and the ability to prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber security insurance (and cyber liability insurance) can help your business further mitigate risk exposure by offsetting some of the costs involved in cyber incident recovery. These may be expenses related to:

  • the management of a cyber incident
  • the investigation of a breach
  • data subject notification and remediation
  • liability, eg for breach of privacy or unintentional distribution of confidential data
  • professional fees related to recovery actions
  • business interruptions, eg from network downtime

Cyber risks typically fall into 'first party' risks and 'third party' risks. Some policies cover either or both of these categories.

Many cyber insurance policies may also cover you against things like extortion, electronic theft or intellectual property infringement. Most insurance products will have certain exclusions, so if you're looking to buy cyber insurance make sure that you read the fine print carefully. Find out more about cyber insurance.