In little over a decade the internet has revolutionised how many of us live and work. With more than two billion users, it is powering economic growth and creating jobs.
We know that the internet is improving the performance of UK businesses. A report by McKinsey last year revealed that small and mid-sized enterprises could increase their productivity by ten per cent simply by establishing a web presence. But businesses need to understand and manage their cyber security risks if they are to realise all the benefits of operating online.
Companies that give the UK economic growth opportunities are attractive targets for foreign states, technologically capable organised criminals and politically motivated hacktivists. The internet offers a largely anonymous and cost-effective way for these adversaries to damage their targets, embarrass them or gain an economic advantage over them by stealing intellectual property or other crucial information.
In a recent speech, Jonathan Evans, MI5’s director-general, said that the amount of hostile activity from foreign states in cyberspace was “astonishing”, with one big listed British company alone losing £800m in potential revenue.
Don’t rely on the IT department
Cyber security is all too often thought of as an IT matter rather than a business-wide strategic risk management issue. There is little appreciation of the extent to which key information is handled by the HR, finance, legal and marketing functions, and by their various consultants or subcontractors. It is reckless to ignore the associated risks or to assume that the responsibility for protecting information rests elsewhere.
The cyber threats facing businesses and their supply chains will be solved not through investments in technology alone, but through concerted risk assessments that enable businesses to identify their critical information assets – and through the establishment of a cyber risk oversight governance structure managed at board level. This process will certainly include security and technology personnel, but the board should be firmly in charge.
Key issues for all boards to consider
I believe that businesses should consider three main issues in their efforts to improve cyber security. First, businesses should ask themselves which information assets are uniquely important to them. It is imperative that they then assess the impact on their bottom line, reputation and share price if this sensitive data were to be lost or stolen, or if a critical online service were to be disrupted.
Second, companies need to have a proper understanding at board level of why their information may be attractive to others, who may be trying to gain it and how. Boards should require regular updates from the CIO or head of security about the nature and origin of any attack. They should also encourage information-sharing with other trusted companies to improve awareness and benchmark their cyber security against that of their peers.
Third, cyber risks encompass share value, merger activity, pricing, manufacturing process, reputation, culture, staff, brand, technology and finance. Companies need to be proactive and ensure that these are managed strategically at board level. Board oversight of risk is required to drive change through the organisation’s culture. Evidence from the 2012 Bis/PwC data breach disclosure survey suggests that written security policies championed by the CEO – and understood and followed by the whole workforce – lead to a reduction in staff-related IT security breaches.
What is the government doing?
The cyber risks threatening the competitiveness of this country require co-operative action from the private sector and the government. Last year the government’s £650m cyber security strategy set out how the UK would support economic prosperity, protect national interests and safeguard the public by building a more resilient digital environment. We will soon be reporting on our progress one year on.
Bis, GCHQ and the Centre for the Protection of National Infrastructure (CPNI) have also published a cyber security guidance booklet (bit.ly/BisCyberSecurity). This document provides risk guidance for boards, outlines key challenges and risks, and recommends practical measures to mitigate those risks.
More broadly, the government is raising awareness of, and offering advice on, the threats. Guidance for large companies is available on the CPNI website (www.cpni.gov.uk/advice/cyber). This lists 20 critical means of effective defence, along with a comprehensive range of protective measures. Tailored advice for SMEs and individuals can be found at businesslink.gov.uk and www.getsafeonline.org.