After a successful SR100 event exploring cyber risks in depth, StrategicRISK asks John Dowdy, head of defence & security at McKinsey & Co, what measures companies should be taking to defend themselves?

Cyber risk

How vulnerable do you think companies in the UK are to cyber espionage (whether that’s from their competitors or foreign states)? What measures can they take to defend against it?

Companies are extremely vulnerable to cyber attacks. Our assessment of value at risk relative to existing protection shows that the most significant cyber threat is to enterprise held intellectual property. IP is both extremely valuable and vulnerable. It is easily stolen from electronic systems, often without the theft even being noticed.

These thefts are far more prevalent than you might think. Operation Shady RAT – discovered by McAfee in 2011 – revealed a breach of over 70 major organisations, spanning businesses in multiple sectors including satellites, electronics, natural gas and real estate. This attack spanned more than 5 years. This was not an isolation event. One senior government official remarked that there were literally hundreds of such attacks, or this scale and larger.

To protect themselves, companies need to get serious about cyber security. That needs to start with a business back approach – understanding key on-line business assets, and how to protect them.

In general nation states understand the threat of espionage—they have to deal with it, particularly during times of war. So is there anything that the private sector can learn from the government on cyber security? In particular on defending against cyber threats (especially cyber espionage)?

“Secure government” is one of the most sophisticated players in the world of cyber defence. Government entities are constantly under cyber attack, and are investing in building their defences. Cyber attack was recognised as a Tier One threat in the National Security Strategy, and the government allocated another £650m to cyber security in an otherwise austere budgetary environment as part of the Strategic Defence and Security review.

The most important thing the private sector can learn from government is that this is a serious threat – it deserves a prominent position in company risk registers.

What are the key findings of McKinsey’s research initiative on cyber security?

One of the questions we have been intrigued by is how to go about measuring how individual companies stack up in terms of cyber security.  We have created a Cyber Risk Maturity Survey (CRMS), which benchmarks companies against their peers, and across industry sectors.

Protecting private data is clearly a massive challenge for companies—particularly considering the fact that they are faced with increasingly sophisticated/precocious hackers. I’ve heard that some companies are even employing ex-hackers to bolster their defences. What can companies realistically do to defend against hacker groups (like Anonymous)?

Companies can do four things to protect themselves:

1.    Create a “business-back” cyber security strategy. Align your security strategy, policies and operations with the biggest business risks

2.    Understand how you stack up. Benchmark your organization, for example, with Cyber Risk Maturity Model

3.    Optimise. Align your security investments and roadmap with business needs. Rationalize spend to get maximum business impact

4.    War game it. Conduct cross-functional simulation with senior executives to improve business responses to attacks

Where do most companies defences let them down? Where could they be doing more?

Our Cyber Risk Maturity Survey suggests that there are three areas where weaknesses are most common. First, ‘knowing the attackers you face.’ Companies often don’t know how to target their defences appropriately. Next,  ‘prioritising the business assets you need to protect.’ Companies often don’t know what to protect first. Finally, ‘knowing how to value and trade off defence systems.’ One of our most interesting findings is that most companies don’t know if they are spending their money wisely on cyber defence.

Is there a trade-off between security and the commercial realities of doing business?

Managers in private enterprise almost always prioritize customer experience above cyber security. South Korea’s largest consumer-finance firm, Hyundai Capital Services Inc., learnt the important of striking a balance here the hard way. Following a serious security breach, where hackers threatened to release stolen, confidential data unless a ransom was paid, their CEO now recognises the full extent of the threat. “We are now slowing down the whole organization. How things look and how they work is now secondary. Security is now first.”

John Dowdy is head of defence & security at McKinsey & Co.