Cyber security is a business issue, it should be dealt with at board level and it is about more than technology, speakers told delegates at the inaugural CBI Cyber Security Conference in London.
“Like any other large scale threat to your company, the issue of effective cyber security should be firmly on the agenda of the board,” said Matthew Fell, policy director at the Confederation of British Industry (CBI).
“Cyber threats are a real risk that needs to be managed and, in tackling that risk, businesses first need to get awareness up and then understand what to do with that risk and how to manage it,” he said, adding that cyber attacks are a “big deal” because they could be material to the success or failure of a business.
He said that, while some UK businesses are engaged and spend a lot of money on cyber security, others remain unsure whether they are taking the right action – while many more are woefully unaware and unprepared.
“The critical first step in dealing with cyber security is to think of it as a mainstream risk management issue that should have board involvement. Then it is important to have an organisational response to these issues, because statistics show that 70% of businesses that do not have cyber security well-ingrained suffered a breach in 2014, compared with just 40% among companies with a good level of awareness and preparedness,” said Fell.
The important lesson to take from that, he said, is that cyber security is not just about an IT response. “IT and having good cyber security in place is a critical part of the defence, it is also a people issue. It is about having a cyber security culture, it is about having good risk management and thinking about brand management, financial impact and insurance around that. It is about having an organisation-wide response,” said Fell.
Security as business enabler
Cyber security is no longer purely a technical issue, said Martin Smith, chairman and founder of The Security Company and The Security Awareness Special Interest Group.
“The technology is mature, but cyber security is about making that technology work for the business. It is about the business taking ownership of what is just another business risk, but many organisations are still desperately insecure. Most of them suffer breaches at the most basic level, because the issue is still not being dealt with at board level, as other business risks would be,” he said.
Smith also said that cyber security is a “people problem” because it is people and not computers that make mistakes and commit crimes. “At the end of every security breach, there is a person. It is time organisations recognised this and began dealing with the human factor in security,” he said.
Another important shift that needs to take place in organisations, said Smith, is to start thinking of security as a business enabler and a centre of excellence helping the business achieve its goals in a way that is secure.
The business also needs to understand there are gains to be made by not losing, he said, which can be expressed in terms that the accountants that run most businesses will understand.
Read more about cyber security awareness
“Information security professionals need to start talking about what the business can do if it's cyber-secure, and talk about the great savings to be made by making a relatively small investment in security – they need to change perceptions by talking about cyber security as a business issue and a business opportunity,” he said.
Smith said most business cultures are not “tuned in” to cyber security, which tends to be viewed as “somebody else’s problem” and businesses managers in HR and procurement are typically not involved when they should be.
Line management support is crucial, he said. Employees need to be alert to the dangers, including social engineering; they need to have an easy and recognised way of reporting their suspicions or asking for help; and they need to know how to get the basics of cyber security right.
“By making every employee aware and increasing their understanding of cyber security risks and best practice, organisations can make their security teams as big as their workforce,” said Smith.
A panel discussion on embedding cyber security in organisations concluded that this requires regular awareness training around cyber threats and their impact on the business, in combination with regular tests, exercises and simulations.
