© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
September 5, 2014 12:54 pm
Cyberspace is constantly evolving and presenting organisations with previously unforeseen opportunities – from using the worldwide web to attract customers to using cloud-based services to host operations – but it also brings risks companies must do more to anticipate.
Software security provider McAfee has reported cyber crime is a growth industry with high returns and low risks. The company estimates the likely annual cost to the global economy from cyber crime is more than $400bn, a figure higher than the national income of most countries. Yet governments and businesses tend to underestimate how much risk they face from cyber crime and how quickly this risk can develop.
Cyber crime, coupled with the rise in online groups willing to disrupt companies’ web operations (so-called hacktivism), the cost of compliance to deal with the increase in regulatory requirements – and the relentless advances in technology against and under-investment in security departments – can all combine to cause the perfect storm. With cyberspace so critical to everything business-related, from supply chain management to customer engagement, disconnecting from cyberspace completely is not realistic. The commercial, reputational and financial risks that go with cyberspace presence are real and growing every day, however.
The first thing businesses must do is re-examine the assumptions they have made about the internet and adapt to meet these dangers. For example, they need to realise a key component of internet security – encryption – may fail to keep hackers out of their systems. Action on areas such as this needs to be taken immediately, as someone accessing your system can have serious reputational and financial consequences.
Second, cyber resilience, or the ability to withstand ongoing threats of operating in cyberspace, must be reassessed regularly. There are three main reasons for this:
• Cybercriminals are still well ahead of information security professionals. The bad guys are getting better at what they do faster than ever before. At the same time, companies often struggle merely to respond. The situation is made worse by cybercriminals having no budget restrictions, nor having to conform to legislation or comply with regulations – an increasing burden for organisations.
• The cost of investigating, managing and containing incidents will rise as they grow more complex and regulators’ demands increase.
• The insider threat will continue to challenge organisations, because people will remain the weakest link in information security. Whether it is through deliberate or inadvertent actions, groups will still face threats from within.
Although governments have a role in making cyberspace safe, which many are only now waking up to, regulations and law enforcement cannot keep pace with the speed of technology, and organisations need to consider what they may need to do to counter possible the effects of a data breach. Frankly, no one can better protect an organisation’s information than the organisation itself.
Data breaches have become a regular feature of modern life. This will continue as long as efficiency and ease of data access are more valued than security, a state of affairs that makes economic sense for many groups until they suffer a breach of their own. Once a breach happens, the value of security to a means of allowing your business to flourish becomes clearer.
Don’t think cyber security. Think cyber resilience – in everything that you do.
The writer is managing director of the Information Security Forum, a not-for-profit worldwide association, and was previously senior vice-president at Gartner
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.