Cyber risk – How to secure your business
The growth in cyber-crime has been one of the standout features of the corporate risk landscape in recent years. There’s no doubt it’s become a top of mind boardroom issue. We asked Del Heppenstall, Director KPMG, a truly expert on cyber security. With nearly 20 years’ direct experience in Information & Cyber Security, Del has built up a wealth of experience in advising clients on topics ranging from security strategy and organisational design through to technical security solution implementation and operation.
Del, why are we seeing so many successful cyber-attacks, according to the press?
As CEOs know, businesses encounter cyber-attacks on a daily basis. These start with low-end attacks that good processes should help mitigate, but they also include high-end attacks that are difficult to prevent. The events that make the press are a combination of both.
At the high-end, financial crime groups are responsible for many attacks. We also see state-sponsored attacks, which are professional, well organised and well-funded. Supporting this, there are illegal markets in security vulnerabilities and business data where attackers are evading law enforcement by concealing their IP addresses and operating from the dark web. Ultimately, cyber-attackers are becoming more proficient.
What this means for CEOs is that, while prevention is always better than cure, they need to plan to detect and recover from attacks too. These preparations need to involve the whole business, not just the IT function.
Yet according to our CEO survey Revolution or Evolution, just 28% of UK CEOs say they are fully prepared for a cyber-event.
What can Boards do to prepare?
Some organisations will want to build a fortress, but remember that even fortresses can be breached. You need to strike a balance between prevention, detection and recovery.
So, work through some breach scenarios, prioritise them, and then consider which detection controls would be most effective at mitigating the risks. Detection won’t necessarily mitigate the risks altogether, but it may help to quickly initiate a response process that significantly reduces the impact of the breach.
With regard to recovery, think about how you will manage and control the recovery process – and who will be involved, such as communications teams, the legal team, agencies and perhaps external incident response teams too. Trying to make these decisions while you’re under attack, when you’re not sure exactly what’s going on, is almost impossible.
How can CEOs be confident they’re spending the right amount on security?
Conversations on security shouldn’t start with cost; they should start with risk.
How much risk are you carrying? What will your threat profile be in the next few years? These questions will lead you, as a CEO or board member, to an appropriate spend on security.
Thinking about legacy technology is part of this. If you haven’t kept pace with updating systems and software, it’s likely that someone will find a way of attacking you in future.
Some people talk about security spend as a proportion of an IT budget – and that can be anywhere from 2% to 5%. But this isn’t necessarily helpful, because you don’t only need to spend in IT in order to be secure. You also need to spend on things like ensuring supply chain security and making sure staff are appropriately briefed. It’s not just about buying IT equipment.
So if the IT director says ‘we’re secure’, is that not enough?
No, it’s not. As a CEO, you can’t rely solely on the IT director as they are not necessarily a cyber-specialist. They might know what’s happening in IT, but can’t know what cyber risks are being created throughout the rest of the company. It’s very likely that they may not be armed to challenge, interpret or ask for expansion on what they’re being told by the business.
My view is that, wherever there is data that might be at risk, somebody in the business should ‘own’ that information. That individual should be the person who decides how valuable it is, whether the control arrangements in place are adequate based on its value and whether or not the residual risk is one they’re willing to take. Residual risk should be considered not only by the owner but at a corporate risk oversight level too.
That way, organisations can be discriminating about where they put their effort – and where they spend their money.
Bite-sized ideas for your next Boardroom agenda:
- Are you set up to detect and recover from cyber-attacks across your entire business?
- When was the last time you rehearsed your response to a relevant breach scenario?
- Does your threat and risk profile match the necessary levels of security investment?
- Have you got data owners in place going beyond the IT function who are clear on what accountability they have for security of that data?
Del, many thanks for the interview.
At the upcoming 3rd European TCG Retail Summit in Amsterdam, Del will outline the approaches that companies can take to get on the front foot in tackling this increasing risk.