Directors and top management have a key role in ensuring that cyber security is addressed as a strategic issue by organisations.
Cyber security is a key strategic concern for any organisation. In this extract from his book “Cyber security” published by Routledge, Jeremy Swinfen Green, TEISS’s Head of Consulting, introduces the concept of cyber security and explains why it should be the concern of all non-technical managers and executives.
Defining cyber security
Cyber security involves the steps organisations need to take in order to address the risks they face from their use, and their employees’ use, of digital technology, especially IT networks, the Internet and mobile devices.
Cyber refers to ‘computers’. You could just as well talk about ‘digital security’ in that modern computers are driven by ‘digital’ technology. However, ‘cyber security’ is the term adopted by UK government and is a more popular term than ‘digital security’.
Some people prefer to talk about ‘information security’ as being clearer and less like jargon. But I would argue that information security intersects with, rather than overlaps, cyber security, because not all information is digital and not all digital risk or cyber risk is about information.
Cyber security is a major issue for organisations worldwide. According to the Center for Strategic and International Studies, total global losses from cybercrime are probably at least $400 billion a year. Cyber crime losses at UK retailers totalled £505 million in 2013 alone.
And that’s just cybercrime. There are many other major sources of danger from cyber technology such as wasted investments, the increased power of customers, reputational damage, the accidental sharing of strategic information, and the huge increase in compliance failures around data protection and other regulations.
Cyber risks can be caused by many things. They can involve a hacker, perhaps a criminal or a political activist, penetrating an IT network to steal data. But they will just as often involve the accidental leakage of secret information or personal data caused by a careless or naive employee, the theft of information caused by a disaffected employee (or an employee who is planning to join another organisation), or reputational damage caused by unhappy members of the public using social media.
Cyber technology can cause major damage. This damage can be direct financial loss through theft or fines, reduced sales, operational disruption, increased recruitment, credit or supplier costs, a loss of competitive advantage or reputational damage.
Despite the use of the jargon word ‘cyber’, it is important to understand that cyber security is not just about managing the risk to computer networks from hackers or from equipment failure. These are important risks, generally managed by the IT department or an outsourced supplier. But risks that cyber security processes need to manage extend far further than this and can be found across organisations. They include:
- Leaving a laptop computer that holds an unencrypted file containing a list of customers’ personal data on a train.
- Posting strategically important information on a public website or a computer service that is not adequately password-protected.
- A failure to spot and act against a website selling counterfeit copies of the handbags you produce.
- The teenage son of the CEO using the CEO’s iPad to access the company’s Twitter account and posting some ‘amusing’ tweets.
- The Marketing Director losing her personal smartphone which automatically connects to her office email account, allowing people to read sensitive emails.
Generally many of these sorts of incidents will be outside the IT department’s area of responsibility, which is why they need to be understood by the board generally.
This isn’t to say that IT security shouldn’t be at the centre of any cyber risk management process. Of course it should. But the risk management process needs to go way beyond IT system security.
Cyber security is growing in importance
Cyber security is constantly growing in importance. Why is this?
- More and more organisations are operating online and so becoming more reliant on the Internet.
- More devices are connecting to the Internet (not just computers and smartphones but security cameras, air conditioning systems, even motor cars) increasing the opportunities for systems to be disrupted or information to leak out.
- More people are bringing powerful personal computers, in the form of smartphones, to their workplaces and using them to access work information.
- Companies are increasing the amount of data they create, capture and store online.
- Computer programmers including hackers and criminals are getting more sophisticated and building on previous cybercrime tools.
- More and more ‘DIY’ cybercrime tools are being offered online, for prices as low as $50.
But there is no need to panic. While it is inevitable that some damage will be caused to most organisations by internal and external people behaving maliciously or carelessly when using digital technology, there is a good deal that can be done to reduce the likelihood and impact of these cyber risks.
Where do cyber risks occur within organisations?
As mentioned earlier, cyber security needs to address risks across the whole of organisations and not just within IT departments. This is why board directors and managers across organisations need to understand them. Here are a few examples:
- HR managers need to understand how social media misuse, such as bullying or spying on employees, can lead to discrimination or unfair dismissal cases.
- Sales managers need to understand that exchanges with clients on Facebook or Twitter can have contractual implications.
- Factory managers need to understand that failing to change the default passwords of machinery that is connected to the Internet may leave them open to the risk of damage to operational efficiency.
- Marketing managers need to understand the risks of divulging personal data about customers online, for instance in social media platforms.
- Designers need to understand the risk of storing ‘in the cloud’ confidential information about products and services that are under development.
- Sales managers need to understand the risks of storing confidential data on laptops that use public wi-fi when they are out on sales calls.
- HR managers need to understand the risks associated with libel from allowing colleagues to post pictures and comments about office parties and other events they attend in an official capacity.
- Finance managers need to understand how easy it is to publish restricted financial information accidentally.
- Compliance managers need to understand the risks of employing agents who communicate with consumers via social media in a hard-to-regulate way.
- All managers need to understand the risks that phishing scams and malvertising can bring to their business.
- All managers need to understand the risks of losing personal computers (tablets, smartphones) that contain corporate data because they have been used at work.
- All managers need to understand the risks of disposing of digital devices that have been used to access and store confidential corporate information.
I’m a strategist. I don’t do technology
Cyber security is too important to be left to the IT department. Of course strong IT systems underpin cyber security. But there is much that managers outside IT need to be aware of, even if they don’t have any real understanding of technology. In particular all employees need to be educated about ‘cyber-safe’ behaviour; and business processes need to be designed that don’t open organisations up to unnecessary cyber risk.
An effective cyber security strategy needs to address three things:
- business processes, and
Non-technical managers cannot be expected to be experts in IT technology. However, they should feel comfortable with the basic principles, at least insofar as they extend to cyber security. Happily, these principles are less complicated than you might think.
Non-technical managers can, however, be expected to understand processes and people. And processes and people are just as important as technology in ensuring cyber security.
Lax security processes have nothing to do with cyber technology. Consider the case of the hard drives containing confidential patient data that were stolen from an NHS hospital in Brighton in 2010. A thousand hard drives that were due to be destroyed were stored in a locked room in the hospital, supervised by NHS staff. However, at least 250 went missing and some ended up for sale on eBay. The supervision and room security process that allowed this to happen was nothing to do with a lack of knowledge of IT – although perhaps a dismissive attitude to the importance of technology may have been behind it.
Similarly back in 2007, US soldiers’ ignorance of social media caused the destruction of several US Army helicopters. The soldiers had posted photographs of the helicopters on social media, unaware that photographs posted on social media often contain information referring to the location of the person posting the photograph. Iraqi insurgents used this information to locate and destroy the helicopters. This failure owed nothing to technology systems; it was a simple failure to foresee a risk and educate people about avoiding it.
Even if you don’t work in the IT department, there is no reason for you to think that you know nothing of digital technology. The truth is that you probably deal with digital technology every day – music, photographs, email, word-processing, smartphones, memory sticks. Accountants have to deal with accounting software, marketers have to deal with digital CRM systems, and designers have long been familiar with CAD/CAM.
There is nothing so very different about the technology used by IT departments, apart from the jargon used and the functions it performs. Company directors and non-technical manager don’t really need to know how IT and cyber security systems work. They just need to know what they do (and whether they are doing them). After all, you don’t need to understand how a TV works to enjoy watching it.
Directors and cyber risk
The boards of many organisations are ill prepared to deal with cyber risk. According to a 2014 Ponemon Institute report (sponsored by HP) The Importance of Senior Executive Involvement in Breach Response, more than 70 per cent of executives say their organisations do not understand fully the risks associated with data breaches.
This lack of knowledge seems to be affecting the way that IT professionals deal with cyber security. According to the same report, fewer than half of top executives, including Board members, are kept informed about the breach response process, while 65 per cent of IT practitioners said that they would modify, filter or water-down reports about a security incident.
If board members lack knowledge and lack information how can they possibly ensure cyber security and oversee the management of cyber risks? And yet it can be argued that boards have a legal responsibility to oversee risk as part of their duty exercise ‘reasonable care, skill and diligence’. Certainly in the UK they have a duty to report on it.
Most boards will have at least one member with a responsibility for risk generally. In order to start a discussion about cyber risk that person (or the chairman) should ask the following questions of the board:
- Who is responsible for cyber risk oversight on the board? What information do they receive from management?
- Are our business strategies and cyber risk management strategies aligned?
- Have we considered our appetite for cyber risk? Have we communicated this to relevant managers? As a result are we investing sufficiently in tools, preparation and training?
- Do we have an effective cyber risk management process? How often is it reviewed? Does organisational culture support our risk management processes?
- How are we monitoring risk? Would we know if inappropriate risks were being taken?
- Do we understand the legal and regulatory environment as it applies to cyber risk, including governance, data, privacy, fair trading, industry regulations and discrimination?
- How will risk mitigation enable and promote organisational strength and growth? Are we sufficiently agile in this area?
If the answer to any (or all) of these questions is ‘We don’t know’ then this book will help.