Businesses are proving to be rich pickings for cyber criminals and boards need to fight back. Whether it’s loss of money, breaches of customer data or highly targeted theft of intellectual property, the risk of attack is all too real and executive and non-executive teams need to ensure their cyber security makes the grade.
Andy Hague, former Operations Director of the ethical hacking division for advisory services group NCC, says: “My entire perspective changed after four years running the UK’s largest anti-cyber crime business… When you see the scale of stuff that actually goes on, it is quite alarming… but in many places there is still absolutely no concept that it even exists.”
The threat is substantial, with the cost of cyber crime in the UK reported to be around £27 billion a year (businesses are bearing an estimated £21 billion of the burden). Andy, who is now UK MD of HR services provider Croner, explains: “On a central server, we hold everyone on the employee payroll for a number of businesses… That is hugely valuable for anybody who wants to get their hands on it.”
Stephen Mohan, MD of Operational Services at financial services platform Cofunds, makes a similar point: “For about 800,000 to 900,000 customers, we have: name; date of birth; National Insurance number; address; bank account; possibly next of kin; and the details of all of their investments. This is a significant area of trust that we hold, and people need to have certainty that we will be looking after them.”
The repercussions of an attack are instantaneous. Paula Barrett, Head of Privacy and Information Law at law firm Eversheds, says: “It can be particularly galling to see all the time invested in building trust in your brand evaporate suddenly, almost overnight, through a security breach… Businesses are only just starting to realise the potential power of increased connectivity, and the risks associated with it… There’s still a huge amount of education needed.”
Security measures need to take into account the variety of attacks. Luke Wilde, CEO at TwentyFifty, a global management consultancy with a focus on human rights, explains: “Given the nature of the work that we do, the risk from our point of view would… most likely come from some form of government-sponsored espionage… [investigating] something about a country or a particular business we’re dealing with. That would be a breach of security and of our confidentiality to our client, and is a significant reputational risk to us.”
A global threat
It’s easy to be complacent about the dangers posed by hackers. Andy says: “You can’t touch or feel cyber crime, and the biggest issue is that for most people it is not real, it is not something that happens to you. But… you’re talking about thousands of attempted attacks on a weekly or monthly basis.”
Paul Brennan, Chairman of cloud storage provider OnApp, has mixed sympathies: “For every board director… simply saying: ‘I wasn’t aware of the risk,’ is not an excuse… [However,] technology is moving so quickly that it’s probably unreasonable to expect the average director… to be completely aware of the risks associated with cyber crime.”
In order to keep ahead of the criminals, chairmen and CEOs should consider bringing in specialist representatives who sit at the top of the organisation. Brian Stevenson, Non-executive Director at the Agricultural Bank of China, explains: “Even though many companies’ business models lie intimately in the delivery of technology solutions… you rarely have someone on the board who is accountable directly to the chief executive on technology security and delivery.
“[It’s about] having the right professionals from the right background, sitting around the board table. If you don’t have people with a technology background you won’t ever latch onto the issue.”
Arguably, it’s about raising the profile and reporting responsibilities of risk managers or creating a new role entirely. Andy says: “You need somebody who can ask: ‘Does anything that we’ve got have inherent value to somebody else?’ Everyone needs an individual to champion the security of the data that they hold on behalf of their clients… and I can genuinely see a position in five to 10 years where people will need a Chief Cyber Security Officer.”
Regulators certainly seem to think so. If proposed legislation is passed through the EU, such security champions will become mandatory in all but the smallest businesses, while every organisation would have to announce a data breach within 24 hours of a discovery, or face a hefty fine. Paula comments: “Compulsory breach reporting [already] occurs in the US… and as can be seen [there], the cost of dealing with any potential breach is likely to soar. Coupled with heavier penalties coming in, it will raise cyber security higher on the board agenda.”
Boards would do well to recognise that fines are not the only potential cost of a data security failure. Paula adds: “It’s about the negative impact on the brand and the share price… account or contract terminations, or lost business opportunities if you are seen to be a security risk by your customers.”
Andy Blundell, Chief Executive of outsourced customer marketing supplier, Communisis, says: “For marketing purposes, businesses take a huge interest in you as an individual. Having that data is good for the business and the customer, but as a business it takes you into an area that requires a huge amount of protection… We are very aware that we are protecting our clients, and trust is the ticket to the game in our industry.”
For all those speaking to Criticaleye, the unanimous view is that provided a plan is in place and it gets updated accordingly, the risks of attack can be controlled. Ian Ryder, Deputy Chief Executive for BCS, The Chartered Institute for IT, says: “Clearly, the IT function has the technical know-how to implement the solutions. They need to be the key ‘partner’ in the business to help identify where the weak spots in systems and processes exist…. Cyber security is a specialist area – it must be treated as such.”
Another wise move would be prioritising specialist risk audits, led by a security specialist. Brian adds: “Audit committees take an intense interest in finding out what went wrong and making sure it doesn’t happen again. I would like to see a regular data security item on the agenda, to make sure that you are tackling the issue proactively, and not just waiting for something to go wrong. It is about preparation and testing; your audit committees are there to question people – are they doing the full remit of their job?”
That is a question every board must ask itself. The reality, as noted in a speech by MI5 Director General Jonathan Evans only last week, is that the threat is “astonishing”, and encompasses the security of not only your business but each and every one of your customers. Only by taking real expertise on board can businesses begin to safeguard themselves and their customers against this threat.
As Paul says, the one certainty is that “it’s a huge area, and it will cost the whole world a lot more money as time goes by”.
Please get in touch if you have any comments about the issues raised here.
I hope to see you soon