Cybercrime: Cost to business to quadruple in next 2 years
A recent report by Juniper Research predicts cybercrime will cost businesses over £2 trillion by 2019, almost four times the cost of security breaches this year. With this startling figure in mind we'd like to pose a question: Where is your CISO?
If you're thinking, "what?" or, "we don't have one" then you're not alone. This is not currently a widely appointed role outside of large corporates and financial institutions.
Wikipedia defines a CISO as follows: A chief information security officer (CISO) is the senior-level executive within an organisation responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
Note the words "senior-level executive" in that definition. With the May 2018 enforcement date for GDPR looming it's more important than ever for information protection and cyber security to be held at board level. With penalties of up to 20m euros or 4% of revenue management teams are of course paying attention, but most mid size organisations lack the expertise required to develop and implement robust and appropriate policies and procedures.
In the past year it's been impossible to avoid the subject of cyber attacks. Hacks and vulnerabilities are widely reported with infiltrations in huge organisations like Yahoo, 3, Tesco and parts of the NHS. There is much scaremongering and hyperbole in the media which spreads fear. And too often the reaction to fear is to do nothing. But the fact remains that we are living in a tech economy. As technology develops so does cyber attack and companies must ensure they address this for the long term security of their business.
PEPCO are working with G3 Good Governance Group to support portfolio companies in this area. We spoke to Malcolm Taylor, G3's Head of Cyber Security, for some thoughts on the issues. Malcolm has 20 years experience with the UK Foreign Office including working in high risk territories abroad and alongside organisations such as GCHQ.
Keep Calm it's just Risk Management
Malcolm provides a calm reassurance based on a wealth of knowledge and experience. His view is that this is just risk management, and what's great is that all companies know how to do that. The key is ensuring risk management strategy is developed to include cyber and that cyber security as a policy is elevated to board level, NOT tucked away under the umbrella of "IT", as is often the case.
Specifically with GDPR, he explains this is really just a matter of good data hygiene. Without going into too much detail, what GDPR does for the first time is to require businesses to account for how and why they hold data. They need good justification for retaining data to ensure compliance with data privacy and the rights of the individual. Plus if they lose data they may be asked to show how they were securing it. Being breached in itself doesn't mean a breach of GDPR and subsequent fines, but a business must show it has taken proportionate measures to secure the data being held.
The difficulty here is that the onus is on companies to put these measures in place themselves and their procedures will only be checked if a breach occurs. There is no case law or precedent on which to base recommendations and of course what is considered "proportionate measures" will be different depending on the type of business. And so businesses find themselves somewhat lost. They know they need to do something about their cyber security, just not quite what.
In simple terms cyber security is about avoiding theft and Malcolm uses the analogy of securing a property against burglary. If you liken a cyber attacker targeting businesses to a burglar walking past a row of terraced houses some "houses" will be easier targets than others. What G3 do is put their clients right in the middle of the row of terraced houses and give them the biggest locks.
3 Key Areas Must Be Addressed For Effective Cyber Security
1) Technology - working on systems to secure them 2) Governance (leadership) - senior management recognition of the issues, supporting policies within the organisation and board level support to cascade action down through the business 3) People - ensuring staff are a defence rather than a weakness, including training on cyber awareness across an organisation
The leadership piece is critical. All organisations understand they have risk, e.g. financial risk, legal risk, political risk, and these are just things to manage as part of the overall business strategy. Putting it simply businesses just need to add cyber to that list.
Currently cyber is not usually on the high level risk radar and is often just pushed down to the IT department. But asking an IT department lead the question "are we secure?" is no longer enough. Whilst IT is good at making technology work they are not always good at making it fully secure, and this is not just about the physical tech. On the opposite side of the coin organisations can go to unnecessary lengths to secure systems and data, "just to be on the safe side", which can be a very costly and time consuming strategy.
Many small to mid size organisations just do not have the resources or specialist knowledge to assess the risk in this field so it makes sense to partner with experts. No one can guarantee 0% chance of a cyber attack but with the right approach cyber risk can be easily mitigated. And G3 are confident that people who work with them, if breached, will be able to provide the right response to show they have met the requirements under GDPR.
PEPCO's category experts and specialist partners help organisations reduce costs and create efficiencies and process improvement across direct and indirect spends. PEPCO are partnering with G3 to bring cyber security expertise to the portfolio. G3 has several decades' experience in technology, the intelligence services, information security and international regulations. They combine this with corporate understanding to ensure advice is presented in a way which clients not only understand but, crucially, use to enhance their business.
Find out more about TrueValue and how it could strengthen your procurement processes. Call us on +44 (0) 20 3008 7588 or email us at firstname.lastname@example.org
Find out more about TrueValue and how it could strengthen your procurement processes. Call us on +44 (0)20 3008 7588 or email us at email@example.com