With companies facing a wide variety of cyber threats, it is the responsibility of the CEO to recognise the dangers, be technologically-prepared and minimise the risk posed to both customer and firm data.
Cyber continues to be a major concern for CEOs. “Two things keep me awake at night,” says Mark Wilson of Aviva, “cyber-crime and geopolitical issues. You need to be fast-paced and agile or you’re toast.”
While CEOs believe they are making progress, due to the controls they have put in place, the need for vigilance remains. CEOs tend to have a better understanding of cyber risk than ever before but many still don’t ‘own’ cyber to the extent they should.
Major cyber-attacks, such as the recent WannaCry global ransomware attack, have put cyber security on the radar of business leaders. But is it a case of more talk than action?
“I don’t believe it’s all talk,” says Michael Daughton, Head of Cyber at KPMG Ireland. “People are focussed on it. Events like WannaCry take away complacency because people see the impact.” He points to a shift in attitudes to cyber security. “Up until three years ago or so, it was seen as an IT problem, and was not seen as a big issue from the CEO’s perspective, or indeed as a broader business issue.”
An increased regulatory focus on cyber security is also driving change. For example, Daughton emphasises that regulators are increasingly concerned about how companies treat personal data. “There are new data protection requirements coming into play for all EU based companies from May 2018. This impacts on every company in the EU that holds any sort of personal data. It could be customer data, but also supplier data or data on employees.”
Daughton says that these new rules will “really ramp up the requirements in terms of data protection and firms with EU operations who fail to comply could face potential fines.” A data breach or other sort of cyber event is not just an issue for those whose data could be affected. For investors too, cyber security is a big issue. Daughton believes a cyber event could decrease investors’ appetite for a company. “Protecting core data is a board issue now,” he says. “Ultimately the CEO will be held accountable if there’s a security breach.”
56% in ROI 48% in NI
believe they need to do more to combat cyber
security “fatigue” in their organisation.
A ransomware attack, for example, involves a company’s data being “locked” until a payment is made. Another recent trend is so-called CEO fraud, which sees staff receiving an email that purports to come from a company’s chief executive. “The email asks the staff member to do something such as make a payment,” Daughton explains. “A number of companies have been caught by this type of approach and predicting what’s coming down the tracks is difficult as it’s moving so fast.”
However, Daughton believes that there are ways of mitigating the risks. Given the wide range of threats that companies face, a cyber audit is increasingly important. “It is an assessment of the key risks and threats, and the likely controls,” he explains. Identifying key data, and where it is, is at the heart of a cyber audit. “That can be a very challenging thing for companies to do - they need to know what is on email, what’s on paper, what’s shared with third parties, and what needs to be protected.”
Carrying out a cyber audit should allow a company to address a number of important questions: Where is critical data stored? Who can access it? If the company outsources any work, what procedures and protections have the third party got in place?
An overwhelming majority of CEOs regardless of jurisdiction believe that people are biggest challenge when it comes to tackling cyber security. “The human factor is quite important. Some of that is down to not understanding the potential risk,” says Daughton. “Training and awareness is a critical part of this.” Once a company has identified any potential weaknesses, and put in place controls, ongoing monitoring is critical. “There needs to be a clear reporting system - for example, what reports do the board get on key threats and vulnerabilities?”
When it comes to cyber security, Daughton stresses that companies need to have a plan in place to deal with a crisis. “Big companies are simulating crisis scenarios - you try to protect against the risk, and prevent something going wrong but you must also be prepared for something happening. If you have a plan, you know where to start.”
“The types of attacks are also continually evolving, so companies face challenges on numerous fronts.”
Companies must also strike a balance between innovation and risk management believes Daughton. “The technology within companies is developing all the time – businesses want new technology. Things like big data, data analytics, cloud computing and so forth. This provides more links to the outside world, and creates more risk.”
According to Daughton, a key question for CEOs is that of responsibility for cyber security within an organisation. “Some companies have a chief information officer (CIO) and some larger companies are appointing chief information security officers to manage cyber risks. However that’s not necessarily feasible for smaller companies.” One learning regardless of scale is not to leave the issue unanswered.
Globally, just over two in five CEOs say they feel prepared for a cyber event, up from one in four last year. In the Republic, almost nine out of ten CEOs feel fully prepared for a cyber event whilst a significantly lower one in five (20 percent) express similar attitudes in Northern Ireland. Cyber events can take many forms as Daughton explains. “There’s a misconception that it is all about hacking into systems,” he says. The reality is much broader, with companies facing a wide variety of threats, such as ransomware, distributed denial-of-service attacks, customer data theft and social media hacking.