Cyber Security – The Cost of getting it wrong!
The effects of a cyber breach can cost you your job and if the impact is significant enough you may well have to answer to Government.
DynaRisk is pleased to bring you a special guest submission from former City of London Police Commissioner, Adrian Leppard.
It seems that each month we see the effects of cyber crime having greater impact on business and on society. In September, Equifax revealed it had fallen victim to a major cyber incident which compromised the personal details of more than 145 million Americans — or about 40 percent of the U.S. population.
Since then, Equifax has found itself under global scrutiny with its now former Chief Executive Richard Smith having to testify in front of congress and subsequently retired from the company.
That must be a wake up call for all Chief Executives. The effects of a cyber breach can cost you your job and if the impact is significant enough you may well have to answer to Government.
Boards will have this in the spotlight as well. The Equifax share price dropped from 141USD in September to 93 USD after publication of the breach and has only recovered to 107 USD at the time this article was written.
The CGI Oxford Economic studies published in April this year highlighted the results of an in-depth study which shows that a typical ‘severe’ cyber security breach represents a permanent cost of 1.8% of a company’s value, as measured relative to a control group of peer companies. For a typical FTSE 100 firm, this equates to a permanent loss of market capitalisation of £120 million, signalling a significant loss of value for shareholders.
And it is highly likely these costs will rise further with the impact of the General Data Protection Regulation which will come into force in April next year. Particularly as most major breaches are not currently made public and as the markets themselves become more adept at judging corporate responses.
It is not surprising therefore that the UK Governments Cyber Health Check publication for this year showed that 54% of FTSE 350 companies now view cyber as the top group risk when compared to all other risks faced by their company.
So what should a good company being doing about this? Firstly, start by dismissing the notion that this can simply be addressed by throwing money at the problem. It will certainly be costly to build an enterprise and maturity approach to cyber security but knowing where to put your investment is the real key to success.
Of course you need Executive & Board engagement; and you will need someone like a Chief Information Security Officer to own the problem, but the real challenge is how to energise the entire workforce and business operation to mitigate the threat.
Enterprise solutions are less about technical systems and more about creating a sense of ownership of cyber security at every level of the organization. Operational users and those at sharp end can see the risks and need to be empowered to resolve them. To achieve this at an enterprise level, you not only need to build knowledge and awareness, but also systems of governance and accountability for information assets.
Innovative solutions such as the DynaRisk platform can help individual members of staff and customers manage their own personal cyber risk exposure, implicitly helping to build greater awareness whilst closing down the exposure to phishing and other attacks targeted at individuals.
But creating a ‘cyber-savy’ workforce is only one step. The bigger challenge is in creating Information assurance governance processes delivering within a new business operating model, which ensures new and old risks are identified and managed from the front end of the business, not some remote IT HQ.
Governance and oversight also needs to skilled, focused and delivering the necessary added value bearing in mind the level of risk that is now being considered. Audit & Risk Committees need to be re-calibrated and supported by independent services which can evidence people, processes and technology.
It’s a tough ask on the organization and they will need support every step of the way as existing managers and leaders will not have comprehensive knowledge and experience to draw on. It can be done but re-calibrating the organization to work in this way is costly and takes time; but it does work, as evidenced by many businesses working across the defence sector who started on this journey many years ago.
Andrew is the founder & CEO of DynaRisk. An industry leading security professional, Andrew is a holder of the Security Expert (GSE) designation, one of only 150 worldwide. Earlier in his career as a cyber investigator, his work triggered international investigations by law enforcement into criminal groups and nation states.