13 February 2015
Do not underestimate the challenge, says Anthony Hilton
Among the thousands of reports and surveys to come out of the annual meeting in Davos, one of the most useful is the annual study of business risks, in which executives rank what they consider to be the most pressing of their current concerns. Particularly significant this year was that cyber security surged to the number three position.
One easy explanation for this might be that it was at the forefront of executives’ minds because of the global publicity generated over Christmas by the attack on Sony Pictures. However, the fieldwork for the survey predated the publicity so there must be more to it than that.
Cyber risk concern is now spreading beyond the financial sector. There was once a tendency for companies to think that this is a problem for organisations whose business is money, rather than for those operating in the mainstream with nothing so obviously attractive to a thief.
This, however, is to underestimate the issue. Even if no money is lost, public confidence in an organisation can be damaged by, for example, the theft of customers’ personal data – as happened recently at eBay. The financial loss may be small, but the reputational damage and hit to customer relations can be huge.
Three years ago John Berriman, a partner at PwC, created a unit specifically to help clients deal with cyber threats. He and colleague Richard Horne make the point that attacks can come from four distinct sources, each with their own motivations.
First, there are attacks instigated by government, agencies of government or terrorist groups, who are pursuing objectives without resorting to force of arms. The Bank of England is now seriously concerned about this systemic risk, which might be precipitated by a cyber attack, and has ordered financial institutions to test their resilience with this in mind.
Then there are attacks by criminals whose interest usually is money. They have a sophisticated supply chain of specialists focused on different areas: some have the skill to hack, others to develop the software. Others again have the knowledge to conduct widespread attacks and have specialist skills like money laundering. It is almost a parallel business world.
Third come the attackers who want information. This is the modern version of industrial espionage where the objective is the theft of intellectual property or valuable commercial secrets – suppliers and customers, contract terms, new product development and so on. It may not be an organisation’s own data which is the target, some are attacked to get data on third parties.
Finally, there are rogue employees who are disgruntled or believe they are fulfilling a higher purpose by whistleblowing.
In this environment, chairmen must assess the vulnerability of their businesses, how to manage the risk and what governance measures need to be put in place. Although most boards are at ease dealing with finance, many feel uncomfortable with technology partly because of a generational gap and partly because too many skilled IT people lack communication skills. Familiarity with finance was not always a given – it only really got established with the introduction of audit committees 30 years ago. Arguably a similar development of IT risk committee is a way forward.
It is important that the board is not overawed, because there is no qualitative difference in approach to risk control, whether it is in IT or any other area. Ultimately at board level it needs to be grounded in common sense and respond to the same line of questions. Boards should consider what their crown jewels are and how to prioritise their protection; if their company is structured in a way which minimises its vulnerability; the systems in place to deal with threats; when these systems were last tested; and how often the threats are reviewed. Unfortunately this is not cheap. A decade or so ago banks’ spending on cyber security ran into the low millions. Getting a better feel for the scale of the problem led them to spend tens of millions. Today it is hundreds of millions. The rest of the business world is about to set out on a similar journey.