UK firms cannot combat cyber attacks without boardroom collaboration
Companies are a work in progress when it comes to cybersecurity, an IBM study has found.
Following the survey of more than 700 C-suite executives in 28 countries on cyber security, IBM UK managing partner Greg Davis says what stood out for him was how the majority of organisations are still not managing security as a business risk.
“Security is not going away and is not a problem you fix once and forget, it is a business risk that needs continued mitigation and management in the same way as more traditional and established business risks,” he says.
Although the survey found that 68 per cent of C-suite executives view cyber security as a top concern and 75 per cent believe a comprehensive plan is important, IBM only classified 17 per cent of respondents as “cyber-secure”.
“There is a broad spectrum of cyber-secure maturity levels across companies in the UK. In general, the more regulated the industry, the more cyber-secure they tend to be. However, even more mature companies lag behind the latest thinking in terms of managing cyber risk,” says Mr Davis.
“In the financial services sector, you’ll generally find clients have to be more secure, they are at the top end of the spectrum, but as you come further down the curve you’ll find some industries are lagging in terms of investment and understanding of how to address the cyber-secure challenges.”
IBM’s global head of cyber security intelligence Nick Coleman points out that recognising security as a concern isn’t enough, it is about how that translates into practical solutions in the boardroom.
“Yes, a lot of senior leaders recognise the importance, but then as we start to drill down into the details, the question is really what to do practically? For example, 57 per cent of the HR officers have rolled out employee training – so nearly half haven’t. This is where cyber security gets put to the test,” he says.
While most C-suite executives are aware of how important cyber security is to their organisation, they are still confused about just who their companies are fending off and how to keep themselves safe. More than two-thirds of the respondents thought that rogue individuals were the biggest threat, but a United Nations report recently found that 80 per cent of cyber attacks are driven by highly organised crime rings.
And although many C-level executives realise that collaboration across industry is necessary to defend against cyber crime, there’s a lot of reluctance when it comes to sharing their own information. Over half of chief executives agreed that more industry collaboration was needed and 53 per cent want cross-border information-sharing. But only 32 per cent of them were willing to share information about incidents externally.
However, this should be helped by new efforts from the UK government and European Union. “The government has been involved for some time in trying to help companies to share information through the Cyber Security Information Sharing Partnership (CISP), to which a number of companies have signed up,” says Mr Davis.
“The Network and Information Security Directive out of Europe is a good example of regulation where, as it’s emerged, it’s looking in good shape to help drive security up not just in the UK, but in Europe and beyond,” Mr Coleman adds.
And beyond regulation, there’s much that companies can be doing now to put themselves in the cyber-secure category. IBM found the leaders that were heading up the most secure firms had made IT security a regular agenda item for board meetings and were making sure all the C-suite were involved, not just chief information security officers (CISOs) and chief information officers (CIOs).
Those firms that IBM considered cyber-secure were making C-suite collaboration a priority, as well as keeping cyber security regularly on the board’s agenda
In the study, 77 per cent of chief risk officers and 76 per cent of CIOs reported that their organisations’ cyber security plans were well established. But only slightly more than half of chief executives agreed and the chiefs of marketing, finance and human resources were similarly sceptical.
CIOs and CISOs may be feeling confident in their technical measures to combat cyber crime, but they need to accompany that with business risk management from the other executives. Almost 70 per cent of respondents acknowledged that their plans failed to incorporate adequate C-suite collaboration across the board, with many executives feeling left out of the cyber security process.
Keeping the cyber security conversation technical bars key executives from participation and this is particularly worrying for marketing, finance and HR. In the study, 57 per cent of chief marketing officers, 59 per cent of chief human resources officers and 62 per cent of chief financial officers said they were not involved in the topic of cyber security. But these sections of the business hold the data that is most coveted by cyber criminals – customer, employee and financial information.
Those firms that IBM considered cyber-secure were making C-suite collaboration a priority, as well as keeping cyber security regularly on the board’s agenda. Every board member doesn’t need to become an IT expert, but they should know enough about the cyber security risks the firm faces to understand and monitor the controls in place.
To stay secure, firms need to evaluate the risks they face based on their industry, geography and ecosystem, and focus security on the risks to the key assets. It’s inevitable that people will, for example, click on links in e-mails, says Mr Coleman, but good organisations are mitigating some of the risk by doing annual training in conduct and ethics to help employees understand the risks. They also have processes in place to deal with the situation when people do click on a malicious link or see something malicious.
Mr Davis says that in his experience, the UK and Europe generally are relatively sophisticated in their cyber security maturity, but being in the top quadrant shouldn’t make British firms complacent.
Mr Coleman concludes: “The UK has spent quite a lot of money and addressed it earlier than other countries, but there are large-scale breaches in the UK, the same as anywhere else. And large, sophisticated breaches are happening increasingly, which means we’ll have to continue to raise our game.”