Every day the impact of cyber-attacks fill column inches of mainstream media around the world. Governments, leading global brands, small businesses and innovative start-ups in all industries have felt the pain.
Many have lost competitive edge, customer confidence and market reputation. Many more are hoping it isn't going to happen to them.
The rapid adoption of new technologies, new business practices and the all-pervasive global inter-connected nature of people, technology and business means we are all now just one click away from losing what is most precious to us.
All organisations have information or critical systems that are of value to others. At some point, if not already, someone will target your business.
Digital criminality is increasingly recognised as one of the most serious risks to a strong global economy.
In June 2014 a study by the Centre for Strategic and International Studies (CSIS) estimated that cybercrime costs the global economy about $445bn (£264bn, €332bn) every year.
In January this year the World Economic Forum and McKinsey suggested a wave of new regulations and corporate policies, introduced to combat more destructive attacks, could slow innovation, with an aggregate impact of approximately $3tn by 2020.
Despite the scale of the problem, I fear that too many company boards still believe that responsibility for cyber resilience sits in IT or security and that solutions lie solely with technology. But cyber resilience is a shared challenge.
All of us have a role to play in helping improve our own, our team's and our company's resilience against digital crime.
It is vital that the executive board plan for effective resilience in support of their strategic priorities rather than react to an attack crisis. They need to know the right questions to ask themselves including: What information must we protect? What's our risk appetite? What are our vulnerabilities to attack? What are the potential impacts of a successful attack and how will we respond when it happens?
Recent high profile incidents across a number of different industries and many more not widely reported illustrate the material damage that can occur if executive responsibility and action is poorly understood or executed.
Enhancing Market Reputation
To what degree do you trust the organisations you share your valuable personal data with to ensure to that it's properly protected?
And has that trust been impacted by a cyber-attack? Attacks not only hit a company's finances, they also impact the trust that we place in the organisations we deal with.
Many organisations have had to deal with highly damaging financial and reputational impacts from successful attack. However there are some exemplar organisations.
These organisations understand that effective cyber resilience involves people, process, technology and leadership. They use it to support their innovation and growth and increasingly as a means to differentiate themselves to their customers, regulators and media.
Awareness must be the first step to resilience
So what do we all need to do in the face of this risk?
Author James Thurber once said: "Let us not look back in anger or forward in fear, but around in awareness".
Being aware is the starting point...for business leaders this means:
- Being aware of what your critical assets are – those crown jewels you cannot afford others to see
- Being aware that behaviour change across all your staff and supply chain partners is a critical part of overcoming your cyber risk hurdles
- Being aware that you need a multi-disciplinary approach across your company to define and action a coherent plan.
Most importantly, we all need to be more aware of and understand the consequences of the decisions and actions we take every day in our jobs. This may include adopting new serious gaming techniques, for example, so that behaviours are affected through learning by doing. This also requires the appropriate time and leadership from line managers to support these programmes over time.
Pragmatism is key to resilience
Governments are encouraging corporations to protect themselves through new cyber frameworks. Recent examples include the US Executive Order on 'Improving Critical Infrastructure Cybersecurity' and the resulting National Institute of Standards and Technology (NIST) framework launched in February 2014 and the UK Government Cyber Essentials Scheme launched in June.
While I welcome the publication of these policies and standards, many organisations are still searching for the right, pragmatic way to make these part of day-to-day business operations.
At Axelos we are developing a new Cyber Resilience portfolio that will help in providing practical 'how-to' management guidance.
The portfolio includes best practice guidance, training materials and certification, simulations, serious games and a risk assessment maturity tool – all designed to enable a company to be more confident in tackling their cyber risks.
Axelos is a joint venture company, created by the UK Government and Capita.