Don’t play cyber roulette with your business
"Cyber security has risen up the corporate agenda, with growing concerns about threats ranging from industrial espionage and theft to the need to assure customer confidence in the data businesses hold."
NICK CHAFFEY, HEAD OF PA'S DEFENCE,
SECURITY AND RESILIENCE CONSULTING
2 June 2011
The recent attack on Sony's PlayStation Network is just the latest example of the damage a cyber attack can cause to a company’s reputation and, in Sony’s case, the potential liability it creates of claims for compensation from aggrieved customers.
Although they are not generally widely publicised, the reality is that events like these have become increasingly common. As a result, cyber security has risen up the corporate agenda, with growing concerns about threats ranging from industrial espionage and theft to the need to assure customer confidence in the data businesses hold.
Those threats are growing. The UK government has recently highlighted the cyber threat as one of the top four security risks facing the country and the Office of Cyber Security and Information Assurance (OCSIA) has estimated the cost of cyber crime to the UK economy at more than £25bn ($41bn) a year.
Yet few company executives and even fewer leadership teams have a good understanding of the breadth of the issues they now face, or have a strategy in place to deal with them. In a recent Harvey Nash/PA Consulting Group survey of chief information officers, only 37 per cent felt they were “very well positioned” to deal with a cyber attack, and only 28 per cent were confident they could identify and deal with an IT security or data misuse incident originating from their employees.
One of the reasons for this lack of readiness is that many executives are working to outdated concepts of information management and security and have failed to keep up with the multiple shifts in the information environment in which they operate.
These include a fundamental change in where the value of a company lies. In the last 20 years this has shifted dramatically from physical assets to intellectual capital, with Ocean Tomo Intellectual Capital Equity recently estimating that more than 80 per cent of the value of S&P 500 companies lies in intangibles.
Executives are also having to deal with developments in information technology that make it much easier to access and transport huge quantities of intellectual property and data. WikiLeaks was able to gather more than 1.2m documents in its first year alone, and in the last three years, there have been more than 50 prosecutions in the US relating to the passing of classified information, sensitive technology or trade secrets to China.
At the same time, society and the media are increasingly holding two contradictory views of corporate data security. They are encouraging leaks through an increasing number of “public transparency” websites and initiatives (such as WikiLeaks, OpenLeaks, TradeLeaks, SafeHouse and the Al Jazeera Transparency Unit). Yet, they are also becoming more critical of those organisations that have data losses. Such attitudes increase both the probability and impact of any breaches of corporate information security.
These shifts are further complicated by the fact that the professionals who have historically managed these risks have focused on technology and technical solutions. However, this is only one part of the picture and by no means a complete one. For example, speculation suggests that the Sony data breach was at least in part supported by an insider, underlining that safeguards against malicious activity by members of staff are as important as technical defences.
Responding to such threats effectively within today’s changing environment means understanding the business’s key assets, such as the intellectual property, that underpin core products and services or its financial or trading systems. It then requires a careful analysis of the risks to those assets, including reputational damage.
By undertaking such a comprehensive and fundamental re-examination of their assets and the risks to them, businesses will gain a broader understanding of what they need to do to tackle not just the information technology challenges, but also critically the people, the physical environment and information handling issues as a whole.
Many of the actions required to defend against cyber attack are basic ones, yet surprisingly many businesses have not taken these relatively simple steps to protect themselves. They do not have appropriate HR policies and practices; effective employee identity management; basic IT management arrangements (such as anti-virus and patching) and effective physical security and access control.
Once this basic protection is in place, the focus for investment can then move to protecting key business assets from direct threat, such as malign or socially engineered insiders. In this respect, implementing appropriate controls, together with effective monitoring that brings together information from across the organisation, provide a high degree of proactive protection.
Dynamic defensive measures will not only help protect the business, but can serve as a key differentiator, especially in markets where trust and the protection of key assets are critical. Designing resilience into every aspect of systems and process will ensure business as usual can continue.
Underpinning all this work needs to be recognition that achieving 100 per cent security is expensive, impractical and virtually impossible. However, by getting these basics right and identifying and addressing the key issues specific to a particular business, companies can move the odds of maintaining effective defences a long way in their favour.
Most importantly, achieving effective security does not need to be at the expense of conducting business and indeed, it can add value in its own right.
Nick Chaffey is head of defence, security and resilience consulting, PA Consulting Group