The evolution of risk

The global head of cyber security at BlackBerry discusses the need for greater cyber resilience in an increasingly digitised world

Sign Up

Get the New Statesman's Morning Call email.

For too long cyber security has been allowed to remain an airy, abstract concept, delegated to the point of detriment, with many businesses refusing to accept the simple fact that as technology evolves, so too do the risks associated with it. In reality, progress comes at a price; and companies investing in the hardware, software, skills and strategy needed to offset if possible, and where necessary, to manage, the effects of cyberattacks, will be ready to pay the piper, rather than letting their underestimation come back to haunt them. Accepting that cyberattacks can and will happen is not defeatist, but simply realistic in an increasingly digitised world. Adopting the position that “it won’t happen to me” is the sort of hubris that tempts fate.

The regulatory landscape, it seems, has acknowledged cyber security’s growing pertinence. Legislation such as the General Data Protection Regulation (GDPR) is not designed to be punitive for the sake of it, but to encourage companies to respect the duty of care they have to their customers, and to adapt to doing business digitally in the modern world. GDPR’s fines for non-compliance – up to €20m or 4 per cent of a company’s annual turnover, whichever is higher – have underscored the urgency for companies to become cyber-smart.

In addition to the financial penalties that companies can face from regulators, more consideration needs to be afforded to the reputational damage attached to failing to meet the requisite cyber security standards. Are customers likely to trust a company that has lost their data? Cyber security provision is not an area where any company worth its salt should try to cut corners.

Cyber security, or more accurately, cyber resilience, is about more than having a host of anti-virus or firewall technologies in place. Those should be par for the course and updated as a matter of operational maintenance. Cyber resilience means integrating departments, sharing responsibility and co-ordinating an entire business to deal with every aspect of a potential cyberattack. Whether it is in a company with ten or 10,000 employees, as most are likely to have some digital presence, it is important to inculcate a culture of vigilance, to keep staff au fait with best practice,
to have the latest cyber security measures in place, and, in the event that an attack does happen, have everyone briefed as to their role in a response. Any one CTO, CFO or CEO should not be held up as the fall guy. Cyber resilience means taking a more collective approach to responsibility.

Central to any response to a cyberattack are speed and sentiment. An effective PR strategy, with clear messaging that is empathetic regarding customers’ concerns, can do a lot towards mitigating any reputational fallout. Knowing what to say and who needs to say it, then, is part of the steps necessary to achieve true cyber resilience.

When the telecommunications provider TalkTalk experienced a cyberattack in October 2015, the direct impact was worrying for the company – as well as the costs of detecting and securing the breach came a £400,000 fine from the Information Commissioner’s Office – but the longer-term costs from reputational damage have been even more serious. Over 100,000 customers have left TalkTalk and the company’s share price has dropped to half of what it was at the time of the attack. The breach itself ultimately proved to be less extensive than first thought, but customers were unimpressed by the company’s ham-handed handling of the attack in its infancy, which included delaying the announcement until after the police got involved, and a refusal to end customer contracts without incurring charges.

Cyber resilience also means having good cyber hygiene, throughout an organisation, from the top down. There are plenty of instances of cyber security heading straight out of the window, thanks to human error. Something as simple as a member of staff sharing sensitive information on a non-work device or using an external app, such as WhatsApp or Twitter, could lead to that information being compromised and would bypass whatever security measures the organisation might
have in place. Training people to be aware of these risks and reminding them of their responsibilities, therefore, is paramount to achieving cyber resilience.

While some companies might be cagey to commit to an extensive cyber resilience programme – smaller businesses could view the costs as a hurdle – it is better to understand it as an investment in protecting the business in a worst-case scenario. The bottom line is how that business continues to function. Without a plan in place, it seems unlikely that a company, of any size, could style its way out of the problems caused by a cyberattack.

Any and all businesses take stock; any and all businesses will consider health and safety risks as a natural part of their operation. Expanding that remit of self-audit and assessment to include a company’s digital presence or capabilities should not be viewed as a radical change. In the same way that companies would lock their doors to protect their property or their assets, why shouldn’t they attach the same significance to information and data kept on the cloud. Likewise, in the event of a burglary, insurance policies are helpful for limiting the damage and distress caused.

Cyber resilience isn’t about trying to con companies into spending more money; it’s about encouraging them to modernise alongside the threats they’re facing. Admittedly, investment in cyber resilience will be proportionate to what a company can afford, but doing nothing at all would represent a naivety, bordering on arrogance, that could easily backfire. There is not, and never will be, a silver bullet for all cyber threats. But BlackBerry is not, by any stretch, promising to make companies invincible – simply sustainable.