Spotlight 17 February 2016 "Total security is a futile concept” Where does the biggest threat lie? And what steps should organisations, large and small, take to mitigate risk? We ask four cyber specialists. Sign UpGet the New Statesman's Morning Call email. Sign-up 1.How would you convince UK plc to take cyber security more seriously? Catherine Askam , Senior manager of cyber risk services at Deloitte UK The recent large-scale cyber incidents have demonstrated the increased need for improved security in UK organisations. Cyber threats are growing and cyber attacks are moving from disruptive to destructive. The UK has experienced many largescale point-of-sale compromise and credit-card thefts, but now we’re also seeing new targeted attacks. For example, there have been large-scale compromises of healthcare companies and hospitals for the theft of personal records. This isn’t surprising – the personal-data trading market is starting to generate real rewards for criminals. The loss of data from any organisation and the rise of the destruction of data is very concerning. John Berriman, Chair of cyber security practice at PricewaterhouseCoopers Every organisation needs to be confident that it is fit for the digital age. As they have capitalised on new operating platforms, the amount of data they hold has increased phenomenally. Data is the lifeblood of a business: it underpins its every relationship, decision and interaction. Information is now a greater source of competitive advantage than ever before, but only if it is secure. It is essential to create a risk-aware culture led from the top, with the boardroom showing it recognises the potential risks at the same time as it embraces opportunities for growth. Mark Brown, Executive director, cyber security and resilience at Ernst & Young Cyber threats remain one of the most significant risks facing UK businesses today. The blistering pace of technological change and the cyber threats that come with it are only going to accelerate. The UK government has made cyber security one of its priorities, so UK plc should need little convincing about the seriousness of this threat. Businesses should remember that cyber security is not just about threats; it also offers a tremendous opportunity for organisations to turn the challenge around. The risks associated with cyber security must not be viewed solely as a danger, but more innovatively as opportunities for business to benefit by better leveraging technology. Cyber security can make good business sense, and those businesses embracing cyber opportunities stand to gain significant advantage over competitors in an ever more global marketplace. Paul Taylor, UK head of cyber security practice at KPMG Businesses are increasingly realising that cyber security is something that they cannot ignore. Our own survey of FTSE-350 companies found that 74 per cent of them thought their boards were taking cyber security very seriously, yet just 39 per cent of board members saw cyber risk as an operational one when comparing it to other threats. Businesses need to consider that if subject to a cyber breach, they risk losing money or intellectual property, regulatory fines, clear-up costs, reputational damage and – perhaps most importantly – losing customer confidence. 2. “The cyber security industry trades off people’s fears – often unsubstantiated.” Discuss John Berriman PwC research conducted for the government has shown that nine out of ten organisations reported a cyber-security breach in the past year, so the threat businesses face is very real. The cybersecurity industry is driven by the genuine experiences of organisations that suffer security breaches. Others are in denial about the extent to which they are vulnerable or fail to prepare adequately and then find themselves hit by a major breach that causes serious business disruption. At PwC we are trying to make organisations more aware and better prepared. There is a lot that can be done to prevent a breach becoming a serious issue that causes long-term and costly damage to a business, its brand and reputation. Mark Brown The fear aspect of cyber security is well documented, but there are alternative viewpoints. A modern approach to viewing the role of cyber security is evolving – one rooted in the heart of enterprise riskmanagement rather than compliance. As organisations recognise that 100 per cent security is a futile concept, a move towards cyber resilience is evolving, where detection and response is as important, if not more so, than prevention. This change requires a new breed of cyber-security professional, one as comfortable in the parlance of business management as technology, and who can sell the concept of risk enablement rather than simply being seen as the inhibitor of progress. The risk is very real, but can be managed without detrimentally impacting operations where a business-centred approach is adopted. Paul Taylor There’s a great deal of scaremongering out there that isn’t necessarily helpful. The constantly evolving threat landscape promotes a feeling of vulnerability for many and has resulted in some organisations spending significant sums of money on ineffective programmes with poor alignment to risks and business imperatives. Cyber security is not achievable by a quick technical fix, nor is it a matter solely for the IT department. We often see that these behaviours leave leadership wondering what they really need to do, how much is really enough and who they can trust to help them get it right. The reality is that cyber security is a business risk, just like physical security. If measures are put in place to deal with it, then businesses can mitigate and protect against future attacks as a matter of “business as usual”. Catherine Askam Cyber risk is often associated with highprofile cyber espionage, rather than the more common reality of direct threats to day-to-day activities. The basics, such as regularly updating security software, are often forgotten as a means to prevent attacks. The answer is not to stop worrying, but to turn defences in the right direction. Security officers should prioritise the training of employees to understand and prevent the security risks the organisation faces, instead of being paralysed by the fear of being blamed in the event of an incident. 3. Internal or external: where does the biggest threat to a firm’s security lie? And why? Mark Brown Although the actual threat remains the technical vulnerabilities exploited by the cyber criminals, the biggest risk is that most of these technical vulnerabilities are exploited in the first place due to the actions of internal employees. Well-intentioned but misinformed staff continue to expose otherwise safe practices in an organisation; therefore, failure to provide continual education, training and awareness to staff is a key risk. Notwithstanding internal aspects, if a cyber criminal wishes to break into a corporate organisation, technical defences alone are insufficient. An ardent attacker will attack an organisation until they find the exposure. Paul Taylor Both internal and external threats exist. It really depends on the core business of the company you are dealing with. The key is to take a holistic view of the threat – thinking about who your adversaries might be, what they might be after and the various ways they might achieve their goals. Moreover, keeping the different aspects of security in the front of your mind by means of cyber exercises or resilience games is a good way of making sure that all relevant parts of the organisation can work together to deal with any incident. In short: attackers won’t respect your stovepipes and you need to think. Catherine Askam Employees and non-employees accessing buildings, data and critical IT systems are probably an organisation’s biggest threat. While malicious users may attack from the inside of an internal system, causing greater harm than any cyber attack, employees could also make mistakes that put the company at risk. Security information and event-management tools can prevent these, as they can flag up irregular activity. This leads to timely incident detection and containment. Smartphones are also becoming a cyber-security minefield. The ability to log in automatically, steal credentials and break into the back-end systems poses a real risk. John Berriman There’s no doubt that external threats regularly grab the headlines. Malicious threats and breaches cause genuine, serious and high-profile breaches. Many organisations prioritise external threats, but internal ones can be just as damaging. Staff can be the strongest or, indeed, weakest point in the security chain. PwC research for the government found that 75 per cent of large organisations suffered staff-related breaches, up from 58 per cent a year ago. Inadequate training, poor security awareness or general negligence can lead to breaches just as readily as hackers and criminals. Employee awareness is a difficult area for information security and many organisations struggle to get it right. 4. What single statistic should act as a wake-up call to those who need convincing? Paul Taylor Every day we hear of new vulnerabilities, attacks and incidents. The Centre for Strategic and International Studies estimates that the likely annual cost to the global economy from cyber crime is between $375bn and $575bn. These startling figures are more than the national income of many countries. Catherine Askam According to CYREN’s 2015 Cyberthreat Yearbook, the number of successful cyber attacks on businesses of all sizes increased by 144 per cent between 2010 and 2014. Therefore, cyber attacks are clearly a growing concern for UK businesses. We often say that it’s no longer a case of if you get hacked, but when. John Berriman The average cost of the most severe security breaches for big business is now £1.46m, according to PwC research. That doesn’t take into account the impact on an organisation’s reputation and relationship with its stakeholders. Every organisation needs to wake up to the very real threats they face. Mark Brown Cyber crime today is prevalent as a global criminal industry. Organisations are hacked daily, but the scale of attacks is often difficult to comprehend. During 2014 the biggest reported hack was conducted by the Russian organisedcrime gang CyberVor, which captured more than 1.2 billion personal IDs – the equivalent of hacking the entire population of India. 5. What three steps should businesses take now in order to improve their own cyber security? Catherine Askam 1.Fix the basics such as passwords and update security patching and new joiner, mover and leaver processes. 2. Review current security operations and invest in them to strengthen this area of your business. 3. Focus on prevention in addition to how you would respond to an attack, for example threat intelligence (detecting the methods of hackers and using this intelligence to plan responses) and datadestruction protection, such as technology or insurance policies to avoid data or information being destroyed if a hacker accessed it. John Berriman 1. Organisations need to accept breaches will happen and put in place controls to protect systems with additional security for the assets that matter most. 2. They need to make sure that they are investing effectively in cyber security. That means focusing investment on preventing, detecting and responding SHUTTERSTOCK to breaches. When organisations invest appropriately upfront and align security strategy with business objectives, they prevent having to pay significantly larger sums of money for breach responses at a later date. 3. They need to focus the entire organisation on thinking about risk, setting the tone from the top. Mark Brown 1. Activate – make sure you switch on the defences that exist and configure them properly. Failure to do this leaves you unnecessarily exposed to today’s threats. 2. Adapt – analyse your business and understand what information makes you a target for cyber crime. Personal data and credit-card data are obvious targets, but also think about IP and who your customers and suppliers are to protect against threats. 3. Anticipate – get on the front foot and rehearse threat scenarios to understand your organisational weaknesses. If they exist, cyber criminals will find them – so better that you find and resolve them first. Paul Taylor 1. Identify what data and processes are the most important to your business. 2. Undertake a cyber-maturity assessment to see where you are now. Benchmark yourself against your industry. 3. Put a long-term plan in place, using a balance of internal resources and appropriate help. Don’t try to be 100 per cent secure – that’s simply not possible. › David Cameron's renegotiation is a sideshow - now let's get on with the real fight Jon Bernstein, former deputy editor of New Statesman, is a digital strategist and editor. He tweets @Jon_Bernstein. Subscribe For more great writing from our award-winning journalists subscribe for just £1 per month!