Operating securely in the cyber environment is among the most urgent issues facing business and government leaders today. William Beer looks at what needs to be considered when taking activities online.
Far from being a barrier to participating in the cyber world, effective security is a critical enabler for any organisation seeking to realise the benefits of taking activities online. Achieving this requires two assets: an understanding of online operating and business models; and an ability to protect and support those business models.
Today, more and more organisations in all sectors are seizing the opportunities created by the Internet. In PwC’s view, the only way to do this securely and sustainably is by ensuring that cyber awareness and responsiveness are infused into every employee, every decision and every interaction. It’s time for CEOs to make this happen.
Who’s at risk?
In June 2011, Nintendo joined fellow online games company Sony and US-based defence contractor Lockheed Martin in confirming that it was among the latest targets of cyber attacks. The announcement came just days after the UK’s chancellor, George Osborne, told an international conference that British government computers are now on the receiving end of over 20,000 malicious email attacks every month. The message is clear: No organisation in any sector is safe - and the threat is growing.
Nobody can say the world had not been warned. In January 2011 the World Economic Forum (WEF) named cyber attacks as one of the top five threats facing the world - alongside planetary risks posed by demographics, scarcity of resources, concerns over globalisation, and weapons of mass destruction. Far from suggesting that fears over cyber threats may be over-hyped, the WEF highlighted the danger that they were actually being underestimated.
The growing threat reflects the explosion of online services in all sectors. Across the world, more and more private and public sector organisations are capitalising on web, mobile and social media platforms to improve their performance and serve customers more effectively. Online interactions bring a blend of four key benefits: lower costs to serve, higher speed to market, greater customer loyalty, and - in the case of the private sector - the potential for higher revenue growth.
These benefits are causing the cyber revolution to gain momentum at breathtaking speed. For example, we estimate 115 million Europeans will be using mobile banking services by 2015.
The darker side
As the use of online services increases, so do the scale and sophistication of cyber attacks. Targets range from countries’ critical national infrastructure and the global financial system, to less obvious targets such as mining companies.
One of the most alarming attacks was the Stuxnet computer virus that emerged in mid-2010. This malicious software (malware) program was created with the aim of sabotaging Iran’s nuclear programme, by increasing the speed of uranium centrifuges to breaking-point and simultaneously shutting off safety monitoring systems. Commercial cybercriminals are mounting equally sophisticated attacks. Such examples underline how opportunities and risks in the cyber world have risen to a new level.
Organisations need to overcome a number of entrenched barriers if they are to defend themselves effectively against increasingly sophisticated attacks. Four are especially prevalent:
- A need for new skills and insights: To use a military analogy, the migration to cyber is as disruptive as moving from horses to tanks. In today’s world, a fifteen year-old hacker might have a better understanding of security risks than a seasoned leader. The people engaged in securing cyberspace need to keep raising their game faster than the attackers.
- Integrating security into the business: Cyber security used to be pigeonholed as an IT issue, creating a communications gap between business managers and security professionals. Awareness is now growing that cyber security is not only a technical issue, but a core business imperative.
- Consistent, aligned and connected responses at every level of the organisation: Traditional organisational structures tend to be too slow and rigid to enable the speed and flexibility of response needed in the cyber world. Faced with attackers who move quickly and unpredictably, organisations need to be able to move information and decisions up, down and across their structures fast and flexibly.
- Creating a cyber-risk aware culture: A cyber attack can gain entry via any node on an organisation’s network – including a third-party supplier, customer or business partner. This means that everyone involved in the organisation’s cyberlinked activities shares direct responsibility for security, and that awareness of cyber risks needs to be an integral part of every decision and action. Yet we are in an era when many younger employees access social networks in the workplace, and when organisational cultures can change rapidly.
How aware are your people of cyber risk?
Our research suggests that the challenges of creating and embedding a cyber-risk aware culture, and of ensuring aligned responses at all levels, are increased by a relative lack of awareness of cyber risks lower down the organisation. In our information security forum quick poll, only 29% said people at all levels of their organisations were aware of cyber risks. Even more worryingly, 14% of respondents said that nobody at any level was aware of these risks.
Six steps to ‘cyber-ready’
- Clarify roles and responsibilities from the top down
We believe that leadership by a CEO who truly understands the risks and opportunities of the cyber world will be a defining characteristic of those organisations that realise the benefits and manage the risks most effectively.
- Reassess the security function’s fitness
The IT security function needs to focus on upgrading or transforming the existing capabilities to deal with cyber risks. This means building on the existing base to ensure that the organisation’s responses to its security needs fully encompass cyber security.
- Achieve 360° awareness of the situation
To align the security function and priorities as closely as possible with the realities of the cyber world, the organisation needs a clear understanding of its current and emerging cyber environment. This awareness is a prerequisite for well-informed and prioritised decisions on cyber security actions and processes.
- Create a cyber incident response team
The speed and unpredictability of cyber threats mean that the incident response team may need to be adapted and streamline to enable information, intelligence and decisions to flow more quickly up, down and across the business, from board level to IT and business operations, and sometimes to and from other organisations.
- Nurture and share skills
Invest in cyber skills. Many companies are experiencing difficulty recruiting people with the cyber security skills they need. Yet most companies plan to create more jobs in cyber security in the next few years.
- Take an active and transparent stance towards threats
The unpredictable and high-profile nature of cyber threats tends to engender a defensive mindset. But cyber-savvy organisations are adopting a more active stance towards attackers, pursuing them through legal means, and communicating more publicly about their cyber threats, incidents and responses.
William Beer is a director in Information and Cyber Security and a member of the Governance, Risk and Compliance team at PwC