Only 28 percent of UK CEOs say they are fully prepared for a cyber-event. Martin Tyley, Partner in KPMG's cyber-security team explores why if your IT Director says ‘we’re secure’ from the risk of cyber-attacks you shouldn’t just take their word for it.
Why are we seeing so many successful cyber-attacks, according to the press?
As CEOs know, businesses encounter cyber-attacks on a daily basis. These start with low-end attacks that good processes should help mitigate, but they also include high-end attacks that are difficult to prevent. The events that make the press are a combination of both.
At the high-end, financial crime groups are responsible for many attacks. We also see state-sponsored attacks, which are professional, well organised and well funded. Supporting this, there are illegal markets in security vulnerabilities and business data where attackers are evading law enforcement by concealing their IP addresses and operating from the dark web. Ultimately, cyber-attackers are becoming more proficient.
What this means for CEOs is that, while prevention is always better than cure, they need to plan to detect and recover from attacks too. These preparations need to involve the whole business, not just the IT function.
Yet according to our CEO survey Revolution or Evolution, just 28% of UK CEOs say they are fully prepared for a cyber-event.
What can UK boards do to prepare?
Some organisations will want to build a fortress, but remember that even fortresses can be breached. You need to strike a balance between prevention, detection and recovery.
So, work through some breach scenarios, prioritise them, and then consider which detection controls would be most effective at mitigating the risks. Detection won’t necessarily mitigate the risks altogether, but it may help to quickly initiate a response process that significantly reduces the impact of the breach.
With regard to recovery, think about how you will manage and control the recovery process – and who will be involved, such as communications teams, the legal team, agencies and perhaps external incident response teams too. Trying to make these decisions while you’re under attack, when you’re not sure exactly what’s going on, is almost impossible.
How can CEOs be confident they’re spending the right amount on security?
Conversations on security shouldn’t start with cost; they should start with risk.
How much risk are you carrying? What will your threat profile be in the next few years? These questions will lead you, as a CEO or board member, to an appropriate spend on security.
Thinking about legacy technology is part of this. If you haven’t kept pace with updating systems and software, it’s likely that someone will find a way of attacking you in future.
Some people talk about security spend as a proportion of an IT budget - and that can be anywhere from 2% to 5%. But this isn’t necessarily helpful, because you don’t only need to spend in IT in order to be secure. You also need to spend on things like ensuring supply chain security and making sure staff are appropriately briefed. It’s not just about buying IT equipment.
So if the IT director says ‘we’re secure’, is that not enough?
No, it’s not. As a CEO, you can’t rely solely on the IT director as they are not necessarily a cyber-specialist. They might know what’s happening in IT, but can’t know what cyber risks are being created throughout the rest of the company. It’s very likely that they may not be armed to challenge, interpret or ask for expansion on what they’re being told by the business.
My view is that, wherever there is data that might be at risk, somebody in the business should ‘own’ that information. That individual should be the person who decides how valuable it is, whether the control arrangements in place are adequate based on its value and whether or not the residual risk is one they’re willing to take. Residual risk should be considered not only by the owner but at a corporate risk oversight level too.
That way, organisations can be discriminating about where they put their effort - and where they spend their money.
For further insights into the cyber security concerns of global CEOs visit www.kpmg.com/CEOOutlookCyber