The internet has become a crucial part of daily life for individuals and business. As such, cyber security is crucial to all businesses, regardless of size or sector. Without adequate cyber security measures embedded into culture and operations, businesses are taking huge risks. Events throughout 2017, such as the WannaCry ransomware attacks, the Equifax breach and the leaking of thousands of personal emails have received global media attention and exemplified the importance of protecting information which is sensitive both to businesses and their customers.
Understanding and recognising the evolving landscape of cyber threats at board level is essential to the sustainability and competitiveness of businesses. Acting on cyber security requires being prepared for and responding to breaches, and concerns intellectual property, customer information, resources, financial data, employee records, and much more. From coffee machines to driverless cars, everything that is linked to a network has the potential to be accessed by hackers. This increase in interconnectivity is becoming more prevalent with the growth of the ‘Internet of Things’, and the ability to collect much more data, from more individuals, and more sensitive data. The security built into all products and services is becoming even more important, as well as that used by companies in their business practices.
A business’s preparedness for a cyber attack, and how it responds in the event of an attack, can have profound impacts up to and including complete organisational failure. The 2017 Information Security Breaches Survey reported that 68% of large organisations had experienced a security breach of some sort. A FSB report published in June 2016 notes that 66% of small businesses have been victim to cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000. Given the impact of these breaches, cyber security is not exclusively an issue for large multinationals.
Businesses of all sizes increasingly hold enormous amounts of customers’ and employees’ private data, including ‘big data’ and ‘metadata’ on members of the public. Such data can be used to establish detailed and accurate profiles of individual behaviour and consumer habits, raising concerns over privacy and data ownership. Despite the significant financial and ethical dangers that accompany cyber crime, there is significant evidence that cyber security is still not treated as a high-priority strategic issue by many businesses.
The technical elements of cyber security are manifold. So too are the relevant human behaviours, which are often overlooked or not properly considered in the drafting of cyber security rules, regulations and codes. For example, best practices guidelines often include encouragements for employees to change their passwords regularly. However, experience suggests that this often leads to people choosing shorter, less secure passwords, or employees writing them down. These unintended consequences can lead to greater, not lesser, threats of cyber breach.
Advocates stressing the importance of employee behaviour suggest a holistic, joined up approach to cyber security that begins and ends with what people do in the workplace and why. This approach includes:
● Good written rules that are practical and useable, and can be easily understood by everyone in an organisation
● Effective training so staff know what to do and how - there is no substitute to being shown via demonstrations
● Ensuring consistent awareness among staff, such as through notices in common areas
● Rewarding good behaviour and disincentivising rule breaches with sanctions and punishment
● Empowering employees to act through cultivating culture and trust - employees should have a healthy dose of scepticism in regards unusual or risky behaviours.
Collaboration and trust building is essential to cyber security, both within and between organisations. Sharing information on threats between companies allows for organisations to be better prepared and increases their ability to deal with threats. This sort of collaboration depends on trust between individuals, which can be facilitated by trust networks that facilitate information sharing between organisations or individuals, or other routes of networking. Similarly, the reporting of breaches within an organisation is easier when relationships between individuals are strong and built on trust.
Certification to baseline standards on cyber security could help businesses to prevent successful attacks, although this is not suitable for all organisations. The UK Government publishes its Cyber Essentials Requirements, or the ISO/IEC 27001:2013 is a more comprehensive certification developed by the International Organization for Standardization.
In 2018, new EU-wide regulation comes into force, which will affect all businesses processing the data of EU citizens. The new EU General Data Protection Regulations (GDPR) will change the game for both large organisations and SMEs for the security of personal information. Organisations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) if they fail to protect personal information. Under GDPR, fines can also be issued if an organisation cannot demonstrate it has built security into its systems and processes. Regardless of legislative changes, this is an area that will face constant and potentially rapid change, which businesses will need to be aware of and adapt to.