20 Mar 2014
You don’t have to say ‘Edward Snowden’ for CEOs to understand that people are the biggest risk to cyber security. Here, World Watch rounds up the most important things a business needs to know or do to protect themselves.
There’s no doubt that digitisation is ripping open the market, creating new opportunities for companies that make the effort to keep up.
All of this is made possible by a tidal wave of data in a constant exchange between a growing number of parties.
But with the opportunity also comes the risk. It’s time for businesses to consider cyber security in all their activities. Here, World Watch rounds up the things that every business needs to know.
Cyber security is front of mind for stakeholders
According to PwC’s 2013 US survey ‘Through the investor lens: perspectives on risk and governance’, investors are particularly concerned about the risk of compromising customer data or privacy. With the increasing outsourcing of important business functions and growth of supply chains and distribution channels, comes increased third-party risk. The loss of intellectual property, private customer data or competitively sensitive data can erode public trust and damage reputation and profitability. Stakeholders want to know what the plan is for mitigating cyber risks and how the board oversees that.
Cyber breaches – ‘when’, not ‘if’
PwC’s recent Information Security Breaches Survey showed that 93% of large organisations [in the UK] reported a breach in the past year. What’s more, the average cost of the worst security breach for small organisations was between £35,000-65,000 and, for large organisations, between £450,000-£850,000. According to the ICAEW’s report into cyber security and the audit, companies have to accept that their security is going to be compromised. The rise in end user devices that are bolted on to corporate networks has led to a loss of control over devices and a mix of personal and business data that calls for a new mindset around security. Only once companies have accepted and understood the likelihood of a cyber attack can they begin to ‘war-game’ the level of breach that individual parts of the business can tolerate.
It’s up to the board and management to lead on the basics
The board and management are best placed to understand the company’s top risks, says a PwC paper on the boardroom agenda. Directors should press management to explain how they run their process for identifying and mitigating the most current risks. Management should also be able to explain to the board how it selects, manages and monitors third parties and their access to data. Crucially, the company should have a crisis management response plan. A culture of building confidence in an organisation’s security, led by the board and senior management, will help: organisations need to learn from breaches, challenge processes and encourage individuals to take personal responsibility for security.
People are the biggest risk
You don’t have to say ‘Edward Snowden’ for CEOs to understand that people are the biggest risk to cyber security. Most high-profile breaches can be linked to human error or carelessness. The ICAEW says that part of the solution is getting people to follow good practices by defining information ownership and responsibility, and hiring the right skillset to bridge the gap between security and the wider business.
Modern techniques of cyber attack can take advantage of careless or malicious activities of employees. Indeed, PwC’s recent Global Economic Crime Survey found that the number of frauds committed by staff (as opposed to those outside the organisation) has risen this year from 34% in 2011 to 41% in 2013. Cyber crime accounted for nearly a quarter of all reported frauds. The fear is that many organisations are not reporting cyber crime because they don’t know it has happened or because they want to keep it contained.
You can’t secure everything
Detailed controls might be effective, but they carry a cost too – in terms of execution, training and slowing down other business operations. Just because companies need to accept that they’re going to be subject to a cyber attack at some point soon, doesn’t mean they have to play the victim. PwC encourages organisations to review their most important business assets and seek to protect their ‘crown jewels’.
Perhaps the most important part of the approach to cyber security is its specificity. Each company is going to want to protect particular assets or areas of activity, and a one-size-fits-all policy is not going to offer the level of protection required for the business to either prevent, or remain agile in the face of a breach. Awareness-raising and basic good practices can go a long way, but intelligence and monitoring on the specifics will offer better coverage and ensure that emerging technologies and big data remain avenues for revenue and growth, rather than a dangerous fork in the road between safety and profitability.