You are here
House of cards? [8 Trends]
Doing business in the age of cyber-crime
Cyber security continues to be a hot topic with attacks on businesses and governments becoming a daily occurrence. The huge fines proposed by EU’s General Data Protection Regulation (GDPR) and attacks on digital infrastructure ensure that cyber-crime persists as headline news. In a moment wherein this topic is becoming a growing discussion, what preventive measures should executive leaders consider?
Exercising due cyber diligence
As we enter the era of big data, we also enter the era of big hacks. By even conservative estimates, the cost of cyber-crime is expected to more than double over the next few years. The long-term reputational costs of falling victim to an attack are harder to measure, but just as critical.
The predicted explosion in interconnected devices (the Internet of Things) will leave companies and their networks more exposed than ever.
The key questions are applicable across all sectors, creating a useful checklist for M&A transactions:
- What information is key to revenue?
- How is information collected and stored?
- How is it protected?
- What is the company’s cyber risk profile?
- Has the company been hacked before and how did it respond?
Cloud computing is not the answer
Michael Reed, Technical Lead for PageGroup, explains that using external, cloud-based solutions for IT operations does not protect businesses from data breaches or relieve them of their responsibility to protect data.
He notes, “Many companies now use outsourced and cloud-based services to manage large parts of their IT operations. This does not diminish their responsibilities to ensure data is protected and secured from misuse or breaches, nor does it allow local regulations to be bypassed by storing data in overseas locations.”
“Many companies now use outsourced and cloud-based services. This does not diminish their responsibilities to ensure data is protected and secured from misuse or breaches.”
Michael Reed, Technical Lead, PageGroup
The Uber hack is a stand-out example here. In a headline-grabbing data loss, 54 million people were affected when attackers were able to access information held on cloud-based Amazon Web Services. The issue was compounded by Uber’s payment of 86,000 euros in hush money to the criminals.
Who has responsibility for cyber security?
Information technology has often been seen as the domain of the CFO, mostly because it has often been regarded as a capital outlay to be justified. But which senior leader(s) should take overall responsibility when it comes to cyber security? Where does the buck stop?
There is no doubt that responsibility lies with the senior management team, with the CFO often taking the lead on cyber security from an enterprise risk management perspective, allowing the deployment of tried and tested frameworks, processes and strategies to protect the company.
However, at PageGroup, we have observed that some client companies are taking a different approach. As Louis Botha, Director of Information Security for PageGroup, explains, simply having defences in place is not enough. The issue is more than complex, as threats change rapidly and emerge from multiple sources.
He comments, “Recent ransomware attacks have crippled several large, well-defended multinational firms, which begs the question whether the CFO is close enough to this topic to fully understand the complexities involved. The result is that we are seeing the emergence of the board-level chief information security officer (CISO) role, bridging the gap of understanding between the business and technology and holding the company leadership to account.”
“We are seeing the emergence of the board-level chief information security officer role, bridging the gap of understanding between the business and technology.”
Louis Botha, Director of Information Security, PageGroup
Companies are increasingly aware of the need to set up a dedicated security team with the essential knowledge and skills to combat the risk posed by cyber-crime. As noted, defence is not enough: the team needs to adopt a proactive approach, ensuring that they are well versed in intrusion prevention and detection. They must be positively fanatical about rooting out flaws and vulnerabilities in the IT infrastructure.
PageGroup’s Michael Reed adds, “The use of regular security penetration tests by external companies to check for vulnerabilities is also particularly useful, as they are closer to new and evolving exploits or risks.”
As cyber security is a company-wide issue, user behaviour also must come under scrutiny. Senior managers must heighten their employees’ awareness of risk, underscoring the importance of strong passwords and training them to engage only with emails and attachments from verified senders.
Cyber security is a company-wide issue, so user behaviour, too, must come under scrutiny. Senior managers must heighten their employees’ awareness of risk.
Recovery plans key to survival
As our lives and businesses move deeper into the digital world, more of our data becomes valuable. Nation states, often with extremely large budgets, are increasingly using cyber warfare to augment their traditional offensive strategies and modern businesses can be caught in the crossfire.
Cyber-attack becomes no longer a question of if, but when, and organisations need a plan and playbook in case the measures outlined above fail to prevent the unthinkable.
Recovery for an organisation after a cyber-attack could be as simple as restoring data from a server and rebooting company websites, or it could be a complex rebuilding of key IT systems and painstaking regeneration of lost business data, which could take months.
The American National Institute of Standards and Technology (NIST) recently published a ‘Guide for Cybersecurity Event Recovery’, giving suggestions for the recovery playbook. The guide recommends maintaining an up-to-date list of key organisational people who know the systems your business needs to run; documenting and understanding the key data for your organisation; identifying who will recover this data; defining the overall plan including communications efforts, and monitoring all your assets during the process.
The GDPR raises the stakes
Let’s not forget that the GDPR is set to raise the stakes for all businesses and organisations, wherever they are based, holding data on EU citizens and residents. It brings an expanded definition of what counts as ‘personal data’ and swingeing penalties for non-compliance and breaches, with fines for the most serious infringements of up to 4% of annual global turnover or €20 million, whichever is greater.
Clearly, today as never before, data security is not an issue that can be left on the back-burner or delegated to junior teams. Senior leaders need to take ownership.
- Senior leaders must lead by example, modelling best practice and providing employee training on cyber security
- Cyber-attacks hugely impact share price if not well handled
- Long-term reputational damage is another likely consequence
- Plan for the worst by creating a cyber-attack recovery playbook to ensure company trading continues
- The stringent requirements of the GDPR put data security squarely on the corporate agenda
We hope you enjoyed reading this article, which is part of our Executive Trends’series where we explore the biggest challenges facing senior business leaders and executives today. The series is already in its 3 edition, and you can access all previous articles by clicking here.