Innovation in business has merged people, process and technology in today’s workplace. We store, process and share more information than ever before. As such, most, if not all, business assets are stored digitally. Centralisation of information undoubtedly provides significant commercial advantage. Yet, this evolution in the IT landscape has also created a new cyber threat, based on the old fashioned criminal principles of theft, espionage, blackmail and fraud. This threat has been intensified by the commercial use of mobile technology, given that there is a growing trend for apps to be rushed to market without due consideration of security requirements.
Over the last decade, the “cyber security” issue has featured on board meeting agendas industry- wide. History has told us that no organisation is immune. The impact of compromised data can be serious and costly. Reported cyber security incidents have increased by 48% since 2013, reaching a total of 42.8 million incidents in 2015 so far (PWC Global State of Information Security Survey, 2015). With cyberspace global and seemingly boundless, causes are diverse and impacts are multifaceted. The cyber-criminal marketplace is becoming increasingly professionalised and vulnerable to exploitation.
Sweden and UK under attack
Data breaches in US and UK based companies are increasing, with the misuse of data from IT networks, CRM systems and third party cloud storage widespread. But the cyber threat landscape spans across all nations and is felt by organisations of all sizes.
The impact of an online data breach can be seen in UK airline operator, British Airways (BA) in March 2015 and Swedish telecommunications giant, Telia, in December 2014. Confidential information from BA’s Executive Members was compromised when passengers noticed changes to their online account details and credit withdrawals from their frequent flyer points. The automated hack, scanning the airline’s database for vulnerability, accessed millions of customers’ data, forcing the airline to freeze online access to control the breach.
Similarly, the unforeseen disruption at Telia saw over five million Swedes unable to access internet and telephone services. When the company’s IT systems were breached, the operator shut down all customer access, with no anticipated time for service to return to normal. Whilst both breaches amount to cyber criminality, both organisations overlooked the value of the networks storing public data. As the cyber-criminal marketplace becomes increasingly more accessible, consumers are demanding sophisticated protection.
A reality now exists where data processed by our IT systems is constantly at risk.
We must see beyond the complexity of the threat and – for that matter – the technology jargon. Businesses need to treat the uncertainty it causes as they would all types of business risk, irrespective of the source or how they were being caused.
Classic Risk Management
In a globalised world characterised by rapid change, a consistent and cohesive approach to risk management is an integral part of an organisation’s management culture. Managing risk proactively helps businesses to satisfy their internal polices, external regulatory requirements, fulfil corporate responsibilities and inspire market confidence. A mature approach enhances business performance, enabling risk-aware decision-making and astute risk mitigation.
However, risk management is no longer departmentalised into single business functions; financial, strategic, environmental or safety risks. It has become a holistic process which incorporates all types of risk, enterprise-wide. As such, managing your cyber security must be incorporated across your existing risk management model. This should be implemented into the process of identification, analysis, evaluation and mitigation, alongside all enterprise-wide risks.
Cyber risk can originate in all business functions, e.g. from your IT Department’s failure to apply regular patching through to weak passwords on a cloud-based CRM system or inappropriate email content penetrating employees’ inboxes.
In terms of applying risk management to the digital age, the assessment of likelihood differs. It is not “if” the risk occurs, but “when”. As a US FBI Director said in late 2014, there are those that have been hacked and those that don’t know they’ve been hacked. Cyber-criminals can have access to a company’s networks for months before an IT Department detects irregular network behaviour.
A People-Centric Approach
Recent failures in managing cyber risk have resulted from an approach that relies exclusively on technology solutions deployed by an IT Department. High-profile breaches (e.g. Staysure, Target, JP Morgan) demonstrate an entirely technology-centric strategy is insufficient. The “insider threat” remains largely ignored. Yet, the PWC Global State Survey 2015 found that organisations perceived the most likely source of security incidents to be current employees (35%).
The onus is on board members and senior management to cultivate a diligent culture and lead by example in terms of routine data handling behaviour. Staff should understand the value of digital assets, the need to handle data securely and be equipped with the right tools and knowledge in order to do so. Campaigns designed to improve driving safety promote safe conduct across a range of behaviours e.g. speeding, drink driving, wearing a seatbelt, texting while driving, etc. Enterprise-wide campaigns similarly need to address the specific cyber conduct that present the highest risk to the business. Staff should then be influenced and motivated to change data handling habits and behaviour.
Failure to cultivate a cognizant attitude will continually thwart an organisations ability to manage risk detection, prevention, response and recovery.
The cyber risk management focus must now be people-centric. Organisations should incorporate risk averse behaviour in each business unit: sales, operations, production sites, finance, HR, etc. Effectively, wherever information is stored in your organisation; financial files, confidential correspondence and stored client data, the threat must be anticipated and proactively managed. Supporting technology is of course necessary, but not sufficient. The heart of appropriate risk mitigation actions are your people.
In the aftermath of the cyber-attack on Sony Pictures Entertainment in November 2014, costing the company over $15 million, CEO Michael Lynton attributed the extensive impact to the vast amount of data routinely stored on the Sony network. His statement “the more you have up there, the more vulnerable you are”, reflects the need to use existing capability to educate, equip and influence employees to handle data with care.
Criminals, spies, fraudsters, thieves and burglars have always existed. The vast, boundless nature of cyberspace has created a new, unregulated platform and an environment that can be exploited.
Yet, the techniques to manage them are those that have always existed – determine how valuable your assets are, consider the level of protection required and enable your people, process and technology to work together to ensure that you are safe and secure.
Ten Questions to ask your business:
1. What is the ‘tone at the top’ in relation to information management and maintaining a secure IT environment?
2. What valuable information does your company store in online databases?
3. What is your company’s risk management process in relation to cyber security? Are employees aware of it?
4. What protection is undertaken to secure computers, network, email and work devices?
5. How often are your website, servers and networks rigorously tested against attacks?
6. What level of access does each employee have to the network and critical data? How is this monitored?
7. Are employees aware of the consequences of a data breach to the business as a whole: financial results, client relationships and reputation?
8. Has your organisation suffered a breach before? How did it react?
9. Are employees directly involved in the solutions and initiatives to improve cyber security?
10. Is cyber security training an ongoing event, supported by frequent feedback and awareness campaigns?
Words: Daisy Balding, Analyst at 4C Strategies
To hear more about Cyber Security, learn about the possible threats, as well as gain insight into what companies should do to protect their brands, business, and reputation with today's technolog, join the Chamber on 22 October at Collyer Bristow LLP.