Cyber crime is a threat and British businesses can’t afford to ignore it

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.standard.co.uk/business/anthony-hilton-cyber-crime-is-a-threat-and-british-businesses-can-t-afford-to-ignore-it-a3156291.html

When Talk Talk suffered a cyber-attack and loss of customer data last
October the mobile firm’s shares fell sharply.

The board subsequently put the cost of the attack and remedial measures at
no more than £35 million.

But the shares have never properly recovered. By the end of last year and
well before the recent stock market meltdown the company had seen its
market capitalisation down by about a third — a loss of value of some £750
million.

This share price fall cannot all be blamed on the cyber attack but it does
underline how such attacks can act as a catalyst for a host of negative
changes.

They cast a shadow over the competence of management; they raise doubts
about the adequacy of controls; they precipitate a host of reputational and
trust issues with the potential to do severe long-term damage.

With this lesson before them — and a string of other well publicised cases
— you might expect cyber security to be a matter of serious concern in
every major company boardroom.

The problem is certainly huge. When the Government conducted an examination
of the insurance issues around cyber crime, a study by Marsh — one of the
world’s largest insurance brokers — put the possible cost of a single cyber
attack at up to £20 billion.

In the same vein, the Centre for Economic and Business Research, in a study
it published last year, estimated that the annual cost of cyber crime to
British business was around £34 billion — slightly under half coming from
lost revenue and the balance from additional spending on defences and
making good.

Not for nothing has Stephen Catlin, one of the leading lights of the London
insurance market, warned that cyber crime is potentially the biggest
business risk he has experienced in more than 40 years.

And the threat grows: every year the Government publishes what is known as
the Information Security Breaches Survey, prepared for it by business
consultants PwC.

In the 2015 version it was revealed that 90% of large companies and 74% of
small companies had experienced some kind of breach in the previous 12
months, and most had experienced more than one — indeed, the average was
four.

However, not all these were criminal. Almost half were caused by employees
doing the wrong thing, or not following procedure but that is not the point.

Doing the wrong thing makes the business that much more vulnerable to
attack — and a lot of attacks rely on employees doing the wrong thing, such
as opening a dodgy attachment on an email.

Every year the threat grows as those mounting attacks become more
sophisticated.

This area is now much less the province of the disgruntled employee or the
amateur hacker. Attacks to extract money either directly or by blackmail or
for industrial espionage are now extremely sophisticated. And there is an
alarming propensity in some countries to try to embarrass or intimidate
diplomatic rivals by giving criminals access to some of the resources of
the state-security services.

Yet in spite of all this, the CEBR study and the PwC survey show a lack of
coherence in how firms respond.

True, some 60% did say they were confident that their security would keep
an attacker at bay, but one suspects their confidence was based on
ignorance of how sophisticated many of today’s attacks are.

It reminds one of the adage that in a disaster the person who doesn’t panic
is the one who doesn’t realise what is going on.

The survey also suggests 14% of companies have never had a board briefing
on cyber security, and 32% have never prepared a formal risk assessment.

There is also a lack of clarity in many companies about who is actually
responsible: more than a third of chief executives did not believe it was
them and almost all finance directors thought it was someone else.

So what is to be done? Well, yesterday, Nurole, one of the first executive
search firms to have properly embraced digital technology, ran a seminar
for senior board directors to help create greater awareness of the issue.

As a headhunter it clearly has an interest in persuading boards they need
to up their quota of digitally savvy directors, and it also thinks there
could be scope for a digital committee, close to the board, which can serve
as an adviser to executive directors.

One of the key developments led by companies in the States is the
appointment of a chief digital officer: at present only 6% of the larger
companies have one, but the numbers are growing fast.

Getting expertise on board is not a solution in itself. The real challenge
lies in getting awareness embedded not simply in the boardroom but in the
culture of the organisation so there is no strategic planning or innovation
which does not first think through the cyber implications.

There is a parallel here with compliance — in many organisations seen as
something alien from the business, no more than a box which had to be
ticked.

It has taken a long time, and cost billions in compensation, reputational
damage and fines to get compliance embedded in corporate culture.

It would be unfortunate — and just as costly — if firms take a similar
length of time to come to terms with cyber security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.