Firms’ cyber controls ‘not fit for purpose’, Oxford Uni report says
Written by staff reporter
Cyber risk security controls that meet international standards like CSC20 might not be fit for purpose. This is one of the findings of a white paper produced by the University of Oxford and Novae Group.
Academics, led by Professor Sadie Creese, at Oxford’s Department of Computer Science and the Saïd Business School found that the standards set by international bodies are often not backed up by objective, empirical research, and so cannot be shown to have quantifiable benefits. This shortfall weakens the value of compliance to risk control standards because a compliant organisation may not be protected from cyber-related harm.
Chief innovation officer and head of cyber at Novae Group, Dan Trueman, said businesses are not well prepared for data/software damage and this research demonstrates cyber controls which some companies adopt might not be fit for purpose. "Much more needs to be done to understand the risk environment and prevent the potential damage to organisations from this threat."
“Insurance alone cannot manage cyber risk; we need a holistic approach. As insurers, we may decide a cyber risk is a good risk when the insurance buying firm has put controls in place that meet one of another set of international standards. However, this paper shows that a cyber risk gap may diminish the value of companies’ efforts to protect their assets from…harm.”
Creese said that instead of simply working to meet standards, organisations must look carefully at the vulnerabilities inherent in the assets they want to protect.