Organisations ignore the threat of cyber attack at their peril, experts tell UK’s top risk managers
In February a meeting of the StrategicRISK 100, a group of the UK’s top risk management minds, was called to discuss the key cyber risk management challenges. The meeting itself was by invitation only and off the record.
The broad topic of cyber risk coalesced around three key issues.
• Data security: Securing customer information, which is increasingly captured and stored electronically, is a key risk management concern for large companies. Many companies are grappling with protecting their private data from prying eyes.
• Cyber espionage: The risk of cyber spying is becoming increasingly clear, whether the aggressors are state sponsored or just industry competition, the results, in the form of lost intellectual property or strategic secrets, can be devastating.
• Social media: Facebook, YouTube and Twitter are perhaps the most popular social media channels and all played a role in the Arab Spring uprisings, demonstrating the power and influence these new platforms wield. In the hands of disgruntled employees, crusader consumers or ‘hacktivist’ groups, social media can be a brand and reputation-destroying weapon.
It was also acknowledged that companies are extremely vulnerable to cyber attacks - malicious assaults aimed at stealing information or simply damaging a company’s brand. Backing this up, cyber attack was recognised as a Tier One threat in the UK’s National Security Strategy and the UK government allocated another €775m to improve cyber security in an otherwise austere budgetary environment as part of the Strategic Defence and Security Review. One of the most significant cyber threats is to enterprise-held intellectual property. Extremely valuable and vulnerable, intellectual property is easily stolen from electronic systems, often without the theft being noticed.
Despite the scale of the problem, SR100 members agreed that companies could broadly be split into three main categories; those who know they have been attacked, those who don’t know and those who know but don’t care.
If a company loses some intellectual property and the story isn’t leaked, it’s unlikely to have much of an immediate impact on either profits or share price. For that reason it’s easy enough for senior managers to ignore it. After all, why should they spend tens of thousands upgrading their security if they have little to show for it? But, as the SR100 conceded, this is probably not the best attitude to take, considering that five years down the line the victim could easily begin to lose its competitive edge if a competitor has that information.
Issues like this are exactly why risk managers, acting as the living conscience of their businesses, need to raise awareness about the importance of cyber risks.
Intellectual property thefts are far more prevalent than many organisations think. For example, in 2011 an unprecedented cyber espionage campaign, dubbed Operation Shady RAT, was uncovered by McAfee. For at least five years, this high-level hacking campaign infiltrated computer systems of national governments, global corporations, non-profit bodies and other organisations, with more than 70 victims in 14 countries.
The SR100 also debated possible solutions to some of these problems. One of the key subject matter experts on hand to help facilitate the discussion was John Dowdy, head of defence and security at McKinsey & Co. He said: “To protect themselves, companies need to get serious about cyber security. That needs to start with a ‘business-back’ approach - understanding key online business assets, and how to protect them.” He recommended a defence in depth approach. Rather than defeating attackers with a single, strong defensive line, defence in depth relied on the tendency of an attack to lose momentum over time.
Companies commonly don’t understand what type of attack they could be facing. They are also sometimes bad at prioritising the business assets that they need to protect. With this in mind, Dowdy recommended four simple “baby steps” that companies can take to protect themselves.
1 Create a ‘business-back’ cyber security strategy
Align your security strategy, policies and operations with the biggest business risks.
2 Understand how you stack up
Benchmark your organisation against your peers.
3 Optimise your investment to get the maximum business impact
Align your security investments and roadmap with business needs. There may be a trade-off between security and the commercial realities of doing business.
4 Run simulations
Conduct cross-functional simulations with senior executives to improve your business’s response to attack.