The internet has fundamentally changed how business is carried out to how we organise our day to day lives in less than two decades. We now depend on being able to safely access the internet in order to communicate and connect across the world but also to share and store information.
Regardless of size or sector, every business relies on digital technology. However, the benefits to efficiency and market development come a cost. The hyper-connection of industries, people and ‘things’ makes everything vulnerable to cyber attacks. Connectivity relies on software and the simple reality is that, according to Code Complete, in every 1,000 lines of code there are between 15 – 50 errors.
Welcome or not, cyber security has become a new mandatory operating layer that requires integration into all business models. Cyber security is what makes a business model operational; without adequate cyber security embedded in culture and operations, companies are taking huge risks and missing various opportunities.
Cyber security is essential to the safe use and continued development of the internet. Recent breaches at companies such as TalkTalk, Yahoo and Ashley Madison have received global media attention and exemplified the importance of protecting information which is sensitive both to businesses and their customers.
Understanding and recognising the evolving landscape of cyber threats is the new boardroom discipline essential to the sustainability and competitiveness of businesses. It concerns intellectual property, customer information, financial data, employee records, and much more. From coffee machines to system operators, everything that is linked to a network has the potential to be accessed by hackers. The more value stored online, the greater the likelihood of online attacks, which allow data to be held ‘ransom’ until the victim either loses the information or pays to get it back again, amongst other examples.
The levels of preparedness for cyber attacks and how businesses respond in the event of an attack can have profound economic impacts. The BIS 2014 Information Security Breaches Survey reported that 81% of large organisations had experienced a security breach of some sort. This costs each organisation, on average, between £600,000 and £1.5 million. For small and medium sized businesses (SMEs), the most severe breaches have cost as much as £310,800, up from £115,000 in 2014, demonstrating that the issue is not limited merely to ‘big business’. A FSB report published in June 2016 notes that 66% of small businesses have been victim to cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000.
More than ever before companies of all sizes hold enormous amounts of customers’ and employees’ private data. In addition to identifying information such as name, address, contact and bank details etc., companies increasingly hold ‘big data’ and ‘metadata’ on members of the public. Such data can be used to paint detailed and accurate pictures of individual behaviour and consumer habits. Despite the significant financial and ethical dangers that accompany cyber crime, cyber security is still not treated as a high-priority strategic issue by many companies.
A common yet flawed assumption is that cyber security is an IT issue, rather than a strategic risk management issue. In a survey carried out by McKinsey with information security leaders at 25 top global companies, the results showed that most respondents believed senior corporate leaders had too little understanding of the IT security risks and business implications to discuss the trade-offs for investment, risk, and user behaviour.
The technical aspects of cyber security are manifold. So too are the human aspects, which are frequently overlooked or not properly considered in the drafting of rules, regulations and codes. For example, best practices guidelines often include encouragements for employees to change their passwords regularly. However, experience suggests that this often leads to people choosing shorter, less secure passwords in order that they can remember them. Or, in the event a long complex password is obligatory, those then get written down and left in or near the worker’s work area. These unintended consequences can lead to greater, not lesser, threats of cyber breach.
Advocates stressing the importance of employee behaviour suggest a holistic, joined up approach to cyber security that begins and ends with what people do in the workplace and why. Jeremy Swinfen Green, member of the Data Privacy and Document Marking Standards Committee at the British Standards Institution (BSI) offers steps and areas of focus:-
- Write Good Rules – companies should be at pains to write policies that people can understand. They should be couched and presented as rules or guidelines, not as a contract. They should ideally not exceed more than a page or two in length. These rules or management instructions should be accompanied with the sanctions people should expect for breaking them. Businesses should ensure the rules are usable and practical, otherwise employees will be tempted to discover workarounds.
- Training – the rules need to be communicated and explained with employees in various ways which must include face to face instruction. People need to know what to do and how, there is no substitute to being shown via demonstrations.
- Awareness – a business must ensure knowledge of the rules stays front of mind. Notices can be placed on toilet doors and/or in common areas so people are regularly reminded.
- Persuade and motivate – businesses should reward good behaviour, for example granting time off or other perks for exemplary practices and behaviours. They should also disincentivise rules breaches with sanctions and punishment.
- Cultivating culture and trust – the leadership of and culture in the business is critical. Given social norms such as the desire to demonstrate politeness may dissuade an employee from challenging a person in the workplace not wearing a visitors badge for example, cultural norms should be set where employees are empowered to act in the best interest of security. Employees should have a healthy dose of scepticism in regards unusual or risky behaviours. They should not feel compelled to let someone “tail gate” through workplace security barriers, for example, in the event such an incidence occurs. Unsafe, risky behaviours can become culturally unacceptable if the appropriate culture is nurtured.
In 2018, new EU-wide regulation comes into force, which may or may not include the UK. The new EU General Data Protection Regulations (GDPR) with change the game for both large organisations and SMEs for the security of personal information. It will also transform the cost of regulatory fines for cyber breaches, from £1.4 billion in 2015 to a vastly increased £122 billion (these figures assume the same level of breaches as last year where 90 percent of large organisations, and 74 percent of small and medium-sized enterprises, said they had suffered a security breach according to the PCI Security Standards Council). Under GDPR, fines can also be issued if an organisation cannot demonstrate it has built security into its systems and processes.
Certification to baseline standards on cyber security could help businesses to prevent successful attacks. The UK Government published its Cyber Essentials Requirements in 2013. ISO/IEC 27001:2013 is a more comprehensive certification developed by the International Organization for Standardization.