Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Impact
Culture
Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Global Shifts
Empowered consumers
Healthier humans
Future organisations
Business for better
Safer societies
Sustainable world
Industries
Consumer and manufacturing
Defence and security
Energy and utilities
Financial services
Government and public sector
Health
Life sciences
Transport
Services
Set growth strategy
Build brands, products, and services
Reimagine AI, digital, and data
Improve organisational performance
Deliver complex programmes
Empower your people
Impact
Culture
In the media

Don’t play cyber roulette with your business

Financial Times

02 June 2011

Tags

"Cyber security has risen up the corporate agenda, with growing concerns about threats ranging from industrial espionage and theft to the need to assure customer confidence in the data businesses hold."
NICK  CHAFFEY, HEAD OF PA'S DEFENCE,
SECURITY AND RESILIENCE CONSULTING

Nick Chaffey
Financial Times
2 June 2011

 

The recent attack on Sony's PlayStation Network is just the latest example of the damage a cyber attack can cause to a company’s reputation and, in Sony’s case, the potential liability it creates of claims for compensation from aggrieved customers.  

Although they are not generally widely publicised, the reality is that events like these have become increasingly common. As a result, cyber security has risen up the corporate agenda, with growing concerns about threats ranging from industrial espionage and theft to the need to assure customer confidence in the data businesses hold.

Those threats are growing. The UK government has recently highlighted the cyber threat as one of the top four security risks facing the country and the Office of Cyber Security and Information Assurance (OCSIA) has estimated the cost of cyber crime to the UK economy at more than £25bn ($41bn) a year.

Yet few company executives and even fewer leadership teams have a good understanding of the breadth of the issues they now face, or have a strategy in place to deal with them. In a recent Harvey Nash/PA Consulting Group survey of chief information officers, only 37 per cent felt they were “very well positioned” to deal with a cyber attack, and only 28 per cent were confident they could identify and deal with an IT security or data misuse incident originating from their employees.

One of the reasons for this lack of readiness is that many executives are working to outdated concepts of information management and security and have failed to keep up with the multiple shifts in the information environment in which they operate.

These include a fundamental change in where the value of a company lies. In the last 20 years this has shifted dramatically from physical assets to intellectual capital, with Ocean Tomo Intellectual Capital Equity recently estimating that more than 80 per cent of the value of S&P 500 companies lies in intangibles.

Executives are also having to deal with developments in information technology that make it much easier to access and transport huge quantities of intellectual property and data. WikiLeaks was able to gather more than 1.2m documents in its first year alone, and in the last three years, there have been more than 50 prosecutions in the US relating to the passing of classified information, sensitive technology or trade secrets to China.

At the same time, society and the media are increasingly holding two contradictory views of corporate data security. They are encouraging leaks through an increasing number of “public transparency” websites and initiatives (such as WikiLeaks, OpenLeaks, TradeLeaks, SafeHouse and the Al Jazeera Transparency Unit). Yet, they are also becoming more critical of those organisations that have data losses. Such attitudes increase both the probability and impact of any breaches of corporate information security.

These shifts are further complicated by the fact that the professionals who have historically managed these risks have focused on technology and technical solutions. However, this is only one part of the picture and by no means a complete one. For example, speculation suggests that the Sony data breach was at least in part supported by an insider, underlining that safeguards against malicious activity by members of staff are as important as technical defences.

Responding to such threats effectively within today’s changing environment means understanding the business’s key assets, such as the intellectual property, that underpin core products and services or its financial or trading systems. It then requires a careful analysis of the risks to those assets, including reputational damage.

By undertaking such a comprehensive and fundamental re-examination of their assets and the risks to them, businesses will gain a broader understanding of what they need to do to tackle not just the information technology challenges, but also critically the people, the physical environment and information handling issues as a whole.

Many of the actions required to defend against cyber attack are basic ones, yet surprisingly many businesses have not taken these relatively simple steps to protect themselves. They do not have appropriate HR policies and practices; effective employee identity management; basic IT management arrangements (such as anti-virus and patching) and effective physical security and access control.

Once this basic protection is in place, the focus for investment can then move to protecting key business assets from direct threat, such as malign or socially engineered insiders. In this respect, implementing appropriate controls, together with effective monitoring that brings together information from across the organisation, provide a high degree of proactive protection.

Dynamic defensive measures will not only help protect the business, but can serve as a key differentiator, especially in markets where trust and the protection of key assets are critical. Designing resilience into every aspect of systems and process will ensure business as usual can continue.

Underpinning all this work needs to be recognition that achieving 100 per cent security is expensive, impractical and virtually impossible. However, by getting these basics right and identifying and addressing the key issues specific to a particular business, companies can move the odds of maintaining effective defences a long way in their favour.

Most importantly, achieving effective security does not need to be at the expense of conducting business and indeed, it can add value in its own right.

Nick Chaffey is head of defence, security and resilience consulting, PA Consulting Group

For a copy of PA’s paper, “Tackling the challenges of cyber security’”, please send an email or contact us now. 

Explore more

Press release

PA Consulting - Bringing Ingenuity to Life

We're proud to announce the publication of ‘Ingenuity Review 23’.
London Big Ben and traffic on Westminster Bridge
Press release

PA Consulting comments on the Spring Budget

Heading towards a General Election, our experts share their thoughts on the UK Chancellor’s announcements.
London Big Ben and traffic on Westminster Bridge
Commuters walking.
Press release

Barbara Visser appointed Partner for Public Services at PA Consulting

We’re pleased to welcome Barbara Visser to our Public Sector team in the Netherlands.
Commuters walking.
Woman at laptop.
In the media

It's time to take a modern approach to password management

PA Consulting's Raul Zeppenfeldt Molina urges organisations to take a modern approach to password management as we move towards an ever more passwordless future.
Woman at laptop.

Contact the team

We look forward to hearing from you.
Get in touch

Get actionable insight straight to your inbox via our monthly newsletter.