Cybersecurity experts agree the only way for business to be 100% safe from cyber attacks is to shut down all electronic connections, but no business could operate that way. The challenge facing most businesses, in the light of growing cyber threats, is to be secure and succeed in cyberspace. So what's needed?
Technological controls play a role, but that is not the most important element and certainly not the starting point, according to panellists who took part in a debate on the topic at the EastWest Institute's Second Worldwide Cybersecurity Summit in London.
Understanding the risk
Understanding the risk quickly emerged at the most important element. Only by understanding the specific risks associated with a particular line of business in a particular sector and geography, can an organisation formulate a strategy and then choose the most appropriate technologies and processes to support that, says Natalya Kaspersky, chief executive officer at InfoWatch and board chair at Kaspersky Lab.
In addition, it is essential to implement monitoring systems to provide feedback on how all the elements used to support the strategy are working together so that organisations can make corrections or modifications where necessary, says Kaspesky. "Security strategy is a process that must be continually reviewed and modified in response to changing conditions," she said.
Understanding the risks associated with new technologies, such as cloud computing or social media, is an important part of the risk analysis, says Kaspersky. "In the past year, we have identified more than 100,000 threats deployed in social media networks, most aimed at gathering information by cybercriminals for largely unknown purposes," she said.
Assessing the risk
Allied to understanding the risk, it is important for organisations to seek external, objective advice in assessing that risk. Understanding the risk is important because it helps businesses formulate the business case for the security systems, processes and controls they are seeking to put in place, says Martin Sutherland, managing director of BAE Systems Detica.
Not all businesses fully recognise the importance of cyber risks, the size of the threat and how it affects them, but statistics show that at least £27bn a year is lost from the UK economy to cybercrime, says Sutherland. There is a disconnect, he says, because all organisations he works with are under some form of cyber attack, yet in polls, 94% of businesses say they are not being targeted.
"We don't see boards and senior managers taking cyber threats seriously. Cybersecurity is often delegated to IT departments which put in place generic defences that are not aimed at specific threats," he said.
Identify potential cyber threats
Businesses need to add cyber threats to the risks they consider. It should be a top-down approach, says Sutherland, with boards asking questions such as: Who are potential attackers? What are their motives? What impact would an attack have on the business? "In general, boards are not applying a risk approach to IT infrastructure and corporate data," he said.
A risk-based approach also enables businesses to look beyond their own organisation up and down their supply chain, which is increasingly global, to identify all potential cyber threats to the successful operation of that business.
This will help businesses to focus on investing in the long term in raising the barriers at all points of potential entry by cyber attackers, says Matt Bross, chief technology officer at Huawei.
Information sharing is vital
What needs to be done beyond building IT strategies based on an understanding of risk?
Another key requirement for balancing data security with business success is good governance and, more specifically, aligning business governance with IT governance, which again requires board-level involvement and understanding, says Sutherland.
Information sharing about cyber threats is another important area. Many organisations do not know what the real threats are, says Kaspersky. She points out that one of the biggest challenges here is to find a way for competitors to share this information anonymously. Without such a mechanism, organisations will continue to keep things private to avoid losing competitive advantage.
Sharing information about the kinds of threats organisations are facing is probably the most valuable, according to Sutherland.
There needs to be a change in mindset and culture at board level, says Vartan Sarkissian, chief executive at Knightsbridge Cybersystems. Cyber attacks are global, but the mindset is still local and not geared towards sharing key information about cyber threats.
Raising awareness of security
Security awareness throughout an organisation is another key element to enabling organisations to be secure in cyberspace. Everyone in an organisation should understand that they have a role to play in keeping corporate and customer data safe, says Matthew Kirk, group external affairs director at Vodafone Group.
"It is important not to overlook people within an organisation, because security ultimately comes down to people using technology in secure ways," he said.
Finally, businesses have a wider role to play by taking part in public-private partnerships aimed at improving security for all in cyberspace, says Kirk. Government alone cannot secure cyber society, he says, because it is too dependent on the private sector. Also, cybersecurity is not just a national issue, but international in character.
The key approach for business then should be to use every means possible to understand the specific risks to the organisation at a board level, formulate a strategy to minimise those risks, and then invest in the most appropriate technological controls and security processes to support that strategy.
Read more on cybersecurity:
- How is cybersecurity linked to economic security?
- Cyber attack could bring nation to its knees, BT chairman tells cyber security summit
- Francis Maude calls on public to tackle cybercrime as public services go online
- UK finally ratifies the convention on cybercrime
- FBI says audit does not reflect cyber investigation capabilities
- EastWest Institute pioneers internal trust in cyberspace