Cyber security enters the boardroom

David Begg welcomes a healthy new respect for the importance of cyber security to enterprise success – or failure

© Ltd 

© Ltd 

We’ve been seeing a change in attitudes to information security recently; it’s no longer the poor relation. The focus is coming around increasingly to it being about business success, rather than technical failure.

At a recent conference, I heard one of the speakers observe that business executives are beginning to recognise the need for information security, but not for the reasons we security professionals would expect. Many are now seeing it as giving their business an edge, a demonstrable difference in their marketplaces that goes beyond merely mitigating risk.

This view is backed at the macro level by the Federal Government’s 2016 Cyber Security Strategy: “Getting cyber security right will mean we capture more of the opportunities the connected world offers. It will also make Australia a preferred place to do business. This in turn will boost our national prosperity.”

The business is paying more attention

A Cisco survey of finance and line-of-business executives in the in late 2015 underlines these changing attitudes. Nearly half (48%) said they were very concerned about cyber security breaches. The level of concern is on the rise: 41% said they were much more concerned about security breaches than they were three years ago.

When asked the nature of their concerns, the top three were:

  • 32% Inability of cyber security policy to keep up with pace of business change
  • 27% Lack of the right metrics to determine cyber security effectiveness
  • 26% Insufficient investment in cyber security

Critically, 92% of the business leaders surveyed expect investors and regulators to ask tougher questions about their security processes and risk exposure in the future.

A decade or more ago, studies showed that many organisations that suffer a major security breach didn’t survive, or simply never recover their previous market share. Business executives are now beginning to believe it, facing up to the essential truths my colleague Dave Jarvis describes in The 3 realities of ICT security all senior executives must accept: your enterprise is connected, its security will be hacked – and you may not know when it happens!

The cyber security scene has changed too

The nature of hackers has changed in the last decade. The most danger is no longer from kids out for bragging rights to impress their peers. Hacking is now conducted on a massive commercial scale for financial gain. The timing of suspicious activity is a giveaway; instead of occurring at night, weekends or school holidays, it’s now happening during business hours, presumably by paid employees.

Some of those employees are paid by their government; it’s now accepted that foreign powers seek to gain advantage or inflict damage by stealing the information assets of public and commercial enterprises in other countries.

Data is increasingly ‘kidnapped’, either by targeted attacks or by the use of ransomware, which encrypts user data and makes them pay for the key to decrypt it. Symantec’s 2016 Internet Security Threat Report revealed that Australia was the top target for ransomware in the Southern Hemisphere in 2015, with average attacks per day increasing 141% over 2014. Our colleagues at CSC in Germany explain how it affects government and other organisations in a worrying new blog, When the cryptolocker strikes: Reasons for ransomware success and ways to prevent. As they observe, ransomware can come via any networked device – just at the time the Internet of Things is gaining traction.

Cyber security must also now extend beyond your own enterprise systems. As I’ve previously written, the most critical recent upgrades to the international information security standard, ISO 27001, concerned supplier relationships. You may not be a soft target, but the organisations you exchange data with could well be – potentially making you a victim of data breach via their systems.

Turn cyber security from cost to competitive advantage

Cyber security can hit an enterprise where it hurts most, in the back pocket. An Australian manufacturer had a contract for the supply of metal detectors to the Department of Defence. When units came in for repair that the company hadn’t manufactured, it realised that its innovative product design had been stolen and was being manufactured in China then sold primarily across Africa. The leak was tracked back to the hack of an employee’s laptop while using a wifi link in a hotel in China. The company’s net profit fell from $45M in 2013, to $9.2M in 2014 – but it will never know the number of deals it will lose to similar but cheaper counterfeit devices or customers it will never have as a result of the breach.

Theft of customer information damages brand, which also affects revenue. Pretty soon, the Australian government will get around to legislating mandatory reporting of data breaches – originally scheduled to accompany the Privacy Act amendments in 2013, but delayed due to the federal election. The sheer effort of recovering from a data breach can be massively costly, whether it involves paying ransom, employee downtime and lack of focus on BAU, or bringing in expensive external consultants to plug cyberleaks, perform forensics or advise on public relations.

Why not turn that about and make cyber security a competitive advantage? By that, I don’t mean boasting that you’re unassailable – no-one is, and there are enough kiddies still out there who’d love to prove you wrong! It’s no longer a case of just throwing another firewall at the problem… But you can quietly go about putting your customers and business partners at ease by strengthening your security framework and policies.

Seeing information security as an increasingly valuable customer proposition in the digital age – rather than an ever-widening cost drain – could help you keep ahead of your competitors, as well as the hackers.

Further Reading

About the Author

David Begg is NSW Regional Manager for UXC Saltbush. An experienced Information Security Specialist with over 18 years in the IT industry, he previously held senior roles with NSW ServiceFirst and Ernst & Young before joining Saltbush in 2010. He specialises in the development of information security frameworks and policies, ISO 27001 certification and keeping senior management abreast of security issues.