Why cyber security is more than an IT issue

Experts have called on company executives to assume greater responsibility for cyber security in the wake of breaches that have had major privacy and economic impacts.

“Every CEO, every chairperson, every board of directors has a moral, a legal and an ethical obligation to be responsible when it comes to cyber security,” says Andrew Clarke, Group Chief Strategy and Global Business Development Officer at Assured Cyber Protection (ACP).

Recent data breaches have highlighted the need for greater board-level oversight of cyber security matters, Clarke says.

In August 2020, for example, the Marriott International hotel group faced a collective action lawsuit in London’s High Court for an alleged failure to protect personal information relating to hundreds of millions of guests.

The lawsuit came after Marriott revealed in 2018 that hackers had been able to access guest records since 2014. The records included names, home and email addresses, phone and passport numbers and credit card details relating to guests at Marriott’s W Hotels, Sheraton Hotels & Resorts, and Le Méridien Hotels & Resorts chains.

“That board of directors narrowly escaped a libel suit action for not doing what they should have done,” says Clarke. “The judge ruled they weren’t liable, but in future ignorance would not be a justifiable excuse.”

The Marriott incident, which resulted in a £18.4mn fine from the UK Information Commissioner’s Office, is just one of many large cyber attacks in recent years.

In May 2020, for example, the airline EasyJet suffered a breach in which hackers gained access to the email addresses and travel details of around nine million customers, as well as stealing the credit card details of 2,200.

And in June 2021, a ransomware attack disabled North American and Australian operations at JBS, the world’s largest supplier of beef, prompting concerns about meat supplies.

As recently as March 2022, hackers managed to halt production at 14 Japanese factories belonging to Toyota, the world’s largest carmaker, and its subsidiaries Hino and Daihatsu. The stoppage reduced output by 13,000 vehicles a day.

“We’re definitely seeing a change in the cyber landscape, in terms of increased threats but also in terms of the nature of the threats,” says Susannah Odell, Head of Digital Policy at the Confederation of British Industry. “And it’s appearing on the radar more often at board level.”

The likelihood of falling prey to hackers has increased since the Covid-19 pandemic as companies have hastened to roll out digitisation programmes. In the first three months of the pandemic, 60 per cent of UK companies adopted new digital technologies, Odell says.

However, few companies have the skills in-house to provide adequate protection for IT systems. Battling with increasingly complex systems, IT teams might not have much incentive to look for holes in cyber security, says Mitchell Scherr, Chief Executive Officer at ACP.

“I don’t know any IT folks that are going to say, ‘We’ve got a problem,’” Scherr says. “They’re afraid for their jobs.”

At the same time, hackers now have more tools than ever with which to crack corporate defences. Hacker groups have professionalised to the point of working with affiliate networks and offering sophisticated products such as ransomware as a service.

Scherr says continued ignorance of cyber threats on the part of board members could result in tighter regulations. “In 1992, the Sarbanes-Oxley Act was passed to deal with corporate abuse in the US and one of its regulations is that ignorance is no longer a defence,” he says. “The CEO goes to jail.”

For the good of their livelihoods and their reputations, executives might want to take the initiative and begin treating cyber crime like the existential threat it really is.