Cyber hype and the boardroom bubble
There is rightly a certain amount of cynicism around the headlines about cyber threats – between wildly varying estimates of the billions which cyber crime costs businesses, and the perception that the attackers are either opportunistic individuals or even state sponsored aggressors (sometimes a combination of the two), cyber has often been seen as an issue for the government and the ‘techies’ to worry about.
Putting the imagery aside however, given the explosion of stories there has been an awakening: most businesses now recognise there is a threat – what they struggle with knowing is how big a problem it is for them and what they can then do about it.
Of course, there are still servers to protect, firewalls to maintain and malicious emails to be filtered, but given what’s at stake there’s a response needed from much higher up the organisation too. Pressure on Boards and Audit Committees is growing - to pay attention to cyber as a business risk, rather than a technical one.
While the ‘cost of cyber crime’ may be a contested figure depending on whose research you read, the reality is that no CEO will want the news that the payments processing systems have been taken down, or customer details have been leaked online.
These are newsworthy stories: shareholders and customers tend to notice these things and uncomfortable questions are asked. Even more uncomfortable will be the questions following the discovery of a previously undetected breach – at one firm thought to have been going on for 10 years. And any business leader will understand that ten years is a long time to be losing business plans, research reports and employee emails.
The attackers for the most part are no longer the disenfranchised loners portrayed in films of the nineties: there are a new breed of organised ‘Hacktivists’. Alongside these collectives whose motives vary, is the big business of organised crime. Online forums and chat rooms make getting on the first rung of the cyber crime ladder easy, and cross-border prosecution is often a complex and lengthy process involving international intelligence agencies.
So where does all this leave businesses? The big banks and defence sectors have understood for a while that that attackers and motivations have changed but other sectors are beginning to realise the potential for exposure as more and more businesses from every sector are ‘outed’ in the press as falling victim to hackers.
The guidance for businesses (mainly FTSE100) launched on 5th September is another step in the right direction. As well as telling the security teams what they should already know, it puts emphasis on CEOs, Boards and Audit Committees to take cyber seriously. They don’t need to become experts in firewall settings, but they do need to consider their organisation’s exposure, what they would do if an attacker was successful and invest in security measures. The appropriateness of the investment is key; each firms investment should be balanced against their risk appetite i.e. what are they willing to lose.
Cyber is one of the initiatives the World Economic Forum has chosen to focus on, having rated it as one of the top threats facing businesses in its annual risk report this year. Their project aims to work with CEOs to raise their awareness of cyber threats and includes guidance to set the tone from the top, in making their firms more cyber resilient. Deloitte are strategic advisors to the project and have been working alongside the Forum and businesses to develop the guidelines and practical pathways to support leaders.
These and other initiatives will hopefully get the message through to those at the top, that cyber is something which should be given serious consideration on their agenda.