Last week, members of our cyber-security team met with the City of London Police to discuss Cyber Griffin – their recent initiative designed to help the Square Mile protect against cyber-crime.

Using simulation games pioneered by the Metropolitan Police (think algorithms meet Lego), we explored the impact that different board-led cybersecurity strategies can have on a business.

Of all the things we discussed with the City of London Police, four issues really chimed with some of the work we’ve been doing for clients recently:

  1. Cyber-attacks are enterprise-wide risks, not just ‘IT risks’. This fact alone means that a board has to have sufficient understanding of the unique cyber-risks that its organisation faces, in order to inform its risk appetite and effectively mitigate the threats.
  2. An organisation’s employees can be both its biggest security risk and its biggest security asset. In this respect, education of staff is critical to robust cybersecurity.
  3. Spending time preparing an effective decision-making log before an incident occurs will often reap dividends in the midst of an attack.
  4. Knowing when to involve authorities such as the police or the NCSC during the response to a cyber-incident can make a huge difference to the outcome of an attack.