Organisations’ cyber controls are “not fit for purpose”
Cyber-risk security controls that meet international standards like CSC20 might not be fit for purpose. This is one of the findings of “The relative effectiveness of widely used risk controls and the real value of compliance” report, a white paper produced by the University of Oxford and Novae Group, the specialist Lloyd’s insurer.
Academics, led by Professor Sadie Creese, at Oxford’s Department of Computer Science and the Saïd Business School found that the standards set by international bodies are often not backed up by objective, empirical research, and so cannot be shown to have quantifiable benefits. This shortfall weakens the value of compliance to risk-control standards because a compliant organisation may not be protected from cyber-harm.
Dan Trueman, Chief Innovation Officer and Head of Cyber at Novae Group, said: “We are delighted to be collaborating with Oxford University to understand more about this evolving threat. Businesses are not well prepared for data/software damage and this research demonstrates cyber controls which some companies adopt might not be fit for purpose. Much more needs to be done to understand the risk environment and prevent the potential damage to organisations from this threat.
“Insurance alone cannot manage cyber-risk; we need a holistic approach. As insurers, we may decide a cyber-risk is a good risk when the insurance buying firm has put controls in place that meet one of another set of international standards. However, this paper shows that a cyber-risk gap may diminish the value of companies’ efforts to protect their assets from cyber-harm.”
Professor Sadie Creese, said: “Instead of simply working to meet standards, organisations must look carefully at the vulnerabilities inherent in the assets they want to protect. Cyber-attackers are creative and aggressive. Both the changing threat and an organisation’s attack surface must be modelled to ensure that cyber-controls offer adequate protection from harm.”
To download the summary of the report, please click here.
To download the full report entitled, ‘The relative effectiveness of widely used risk controls and the real value of compliance’, please clickhere.
For further information please contact:
Novae Group
Paul Riseborough
+44 (0)207 050 9386
priseborough@novae.com
Haggie Partners
David Haggie/ Rebecca Young
+44 (0)207 562 4444
david@haggie.co.uk/ Rebecca.young@haggie.co.uk
Notes to Editors
Novae Group is a diversified property and casualty (re)insurance business operating through Syndicate 2007 at Lloyd’s and is listed on the London Stock Exchange. Established in 1986, Novae writes property, casualty and marine, aviation and political risk business between its offices in London and Bermuda and has a market capitalisation of more than £400 million.
Syndicate 2007 is managed by Novae Syndicates Limited and enjoys an A (A.M. Best) and A+ (Standard & Poor’s) and AA- (Fitch) Lloyd’s rating.
The Cyber Security Oxford network aims to support all of the researchers and experts working on Cyber Security at the University of Oxford. The network does not conduct Cyber Security research and education itself, but creates a community to help foster those activities across the University. With experts working in over 20 units across the University, the network is able to address the difficult questions that cross the borders of traditional academic disciplines: what does ‘good’ cybersecurity look like, and how does that change in different contexts? How can technology interact gracefully with messy human realities? Our research fits broadly within five mutually-supporting themes: Secure systems and technology; Verification and assurance; Operational risk and analytics; Identity, behaviour and ethics; National and international security and governance; and a cross-cutting theme, weaving through the others: Human aspects of cyber security.