Cyber crime costs the UK £27 billion a year, according to the UK Cabinet Office. The size of the threat is matched by its variety, which can include:
- Theft of intellectual property
- Disruption to business or critical systems
- Theft of personal customer data
- Implicating your business in an attack on a customer or supplier
The reality of cyber crime means that is now reckless for a board not to factor it in to an organisation’s risk management strategy. Malcolm Marshall, KPMG’s Global Leader for Information Protection and Business Resilience, says: “Cyber crime is simply becoming more of a mainstream tool. What was previously in the domain of specialist geeks is now a normal part of a regular criminal toolkit.”
Not that the tools are just the preserve of criminals. “Organisations have only recently realised the extent to which state-sponsored players are conducting economic espionage,” says Malcolm. “There are instances where governments or businesses are verifying what is being said to them in negotiations, doing background research, or even directly seeking information for their economic benefit.
“You can look at the worst case scenarios – and certainly everyone expects the threats to get worse and more numerous. There are already examples of countries using cyber espionage to benefit their national companies, and given that this has been seen to be successful, you will see the use of cyber espionage spreading and more, often less stable, countries taking it up.”
The idea of state-sponsored cyber warfare has received huge coverage since the revelation that the global Stuxnet worm was originally designed to target a specific industrial unit in Iran. It certainly adds another layer of complexity to how to tackle crime and what constitutes a safe level of defence, especially for corporates.
Malcolm says: “The second big risk is that those sophisticated tools developed by governments fall into genuinely criminal hands, they then could use it to attack or hold to ransom commercial businesses, as we’ve seen with the attack on Saudi Aramco, the world’s largest oil company which is owned by the Saudi government.”
Fundamentally, boards need to be on the front foot and devise a robust strategy to combat cyber crime. Malcolm explains: “People are reactive to it, but the reality is that most large organisations have had some
incident of varying degrees of severity. The recent press release from MI5’s [Director General] Jonathan Evans saying that one UK company had lost £800 million to cyber espionage shows a number which is hard to calculate, but is feasible.”
Unfortunately, the reality is that many businesses have a long way to go in catching up with the hackers. In its analysis of the state of security in 2,000 top private businesses around the world, KPMG’s ‘Publish and be Damned, Cyber Vulnerability Index 2012’ reveals that across the sample group (with combined assets of over $31 trillion), rudimentary methods of accessing public data could glean an average of 210 usernames, 52 network folders and 171 email addresses at a business.
MAN V MACHINE
The most effective weapon against the cyber threat in a business is its people. Malcolm says: “Staff are your strongest defence, because you can invest in technology forever and you’ll still be vulnerable. There needs to be a focus around behaviours and ensuring that your contractors and those in the supply chain understand what the threats are and how they might be targeted. Then they will know how to spot something suspicious, know what, for example, phishing attacks are (see jargon box below), and will therefore be more alert to the dangers. Although most organisations have an array of risk and compliance messages that people need to follow, we found it most effective to avoid a generic awareness campaign and have a targeted approach, with categories of staff given specific education programmes that catered for how they use data and the risks that it presented.”
It means having a person in the company who is directly responsible for ensuring the safety of the organisation. Malcolm says: “It is essential for a large organisation to have a Chief Information Security Officer. It is standard in large financial institutions and we’re seeing it increasingly in large corporates, either on the same level as CIO, or a level down… In a heavily internet-dependent-business, then arguably that pushes the role onto the executive board.”
The fast changing nature of the threats means that businesses need to invest, strategically and financially, in order to stay ahead of the criminals. “Two years ago people were worried about accidental loss of data on an item like a laptop or a memory stick,” says Malcolm. “That’s embarrassing, but losing intellectual property or losing deal data has potentially much greater financial consequences.”