Mention cyber security to any business and it’s likely to cause a strong reaction. Preparedness and responsibility can vary. But as attacks become increasingly more sophisticated and, in some cases, high profile, it is no surprise that 89% of FTSE 100 companies now recognise cyber as a principal risk.
Traditionally companies have often been sold defence systems by way of fearmongering. This, in turn, provoked negative and defensive behaviour, with few organisations willing to invest in developing innovative risk solutions.
While there’s some way to go in finding best practice, I’d argue that headway is being made at least towards developing better practice. And with this progress comes sparks of optimism.
Business as usual
In many ways, cyber-attacks are inevitable. Prevention and remediation are not enough. To build stronger defences, there must be greater emphasis on strengthening both real-time detection and businesses’ response to live incidents.
With digitisation, the cyber threat has simply become a new risk of doing business. Companies are dependent on an increasingly wide-reaching, globalised and digitalised supply chain network, which has the inadvertent effect of exposing them to a greater range of cyber-attack vulnerabilities. It’s an everyday, systemic cyber risk and companies must be armed to enter this global business environment.
Understanding the threat
One of the easiest ways to carry out cyber-based crime is through the acquisition of data. For cyber criminals, personal data is a commodity as valuable as oil. Stolen identities can be sold on the dark web, where criminals can then use them to carry out fraudulent transactions. Despite GDPR coming into effect, huge volumes of data remain stored in relatively insecure environments that can be easily swept up and sold on.
At the more sophisticated end of the cyber-crime spectrum, the target is often more specific. Malware is designed to infiltrate an internal network. This might be a banking payments system where account balances can be altered, or it might target valuable intellectual property (IP). The entry point can be all too easy – generating a fake invoice, perhaps, from a third-party vendor – waiting until just one recipient opens the attachment and unwittingly installs the malware.
So what can be done?
It’s crucial to get the fundamentals right, so ask yourself the following:
- What are you protecting?
Be clear on your most valuable asset – what would need to be backed up and running again in the first 24 hours of a breach? Understand how cyber criminals operate and behave in your specific industry and plan accordingly.
- Do your security processes suit your risk profile?
Consider what level of risk you are willing to accept in order to carry out day-to-day business. A trade-off may be necessary between security and operational speed.
- Do you have a mix of business and cyber experts?
You’ll need to build a suitable monitoring and response plan, but make sure you have the right teams with a mix of cyber skills and experience ready on the ground.
It’s also important you don’t ignore the opportunities:
- What new solutions are out there?
Stay one step ahead and adopt new technology for faster detection and better prevention. Make the most of AI and data-analytical tools to join the dots across multiple data sources.
- What benefits could greater privacy bring to your business?
GDPR mandates that businesses understand exactly what data they store and what is deemed necessary to keep. This offers clarity of purpose and use of data that can encourage a more effective digital operation.
- Have you considered collaborating?
Connect more to see more. Sharing information both internally and externally makes it easier to identify patterns and predict future events. Collaboration between businesses, enforcement bodies and regulators is also essential in tackling the evolving cyber threat.
Ultimately, cyber is a business challenge like any other. But those who take the right steps in order to build cyber security into all facets of the business will reap the rewards.
CBI members can access more advice – including key takeaways from our recent Cyber Security Conference – in My CBI’s Ideas Forum.