Sergey Nivens - Fotolia

Business needs to get real about cyber security, warn BT and KPMG

Businesses need to change the way they think about cyber security from the board down to avoid getting caught in common traps and becoming vulnerable to attack, a report warns

Cyber security must become something that everyone in an organisation always thinks about, according to the latest report on securing the digital enterprise by BT and KPMG.  

The report outlines the five stages of a typical journey towards cyber security maturity, highlights some common pitfalls, and suggests how organisations can move on to the next stage.

Typically, organisations start off in “denial”, before moving on to “worry”, followed by “over confidence”, which leads to “hard lessons” being learned, before achieving security leadership, the report says.

However, the report warns against getting stuck in these various phases by avoiding making common mistakes in the face of the challenges presented by each one.

In the “denial” phase, companies typically believe cyber crime affects only large companies and industries such as banking and finance, oil and gas, and retail.

The hard reality, the report says, is that all firms face cyber attacks, which means any business is a potential target.

Back to security basics

Mark Hughes, CEO of BT Security, said the global scale of the WannaCry and Petya attacks showed the speed at which even the most unsophisticated attacks can spread around the world.

“Many organisations could have avoided these attacks by maintaining better standards of hygiene and getting the basics right,” he said.

“These global incidents remind us that every business today – from the smallest sole trader to SMEs [small to medium-sized enterprises] and large multinational corporations – needs to get to grips with managing the security of their IT estate, as well as their people and processes.

“This report aims to help secure the digital enterprise by navigating businesses through their cyber security journey.”

“Some companies are overwhelmed by the scale of threats that are out there, and don’t know how to compute what they could be at risk from”
Mark Hughes, CEO of BT Security

Another common trap in this phase is the belief that there is really nothing that can be done about cyber threats. “Some companies are overwhelmed by the scale of threats that are out there, and don’t know how to compute what they could be at risk from,” said Hughes.  

But the basics help, says the report, pointing to advice from the National Cyber Security Centre (NCSC) that just getting the essentials right will block a significant number of attacks. This includes teaching staff about how criminals work, keeping software up to date, using strong passwords and backing up data.

Good security cannot be bought

While the report emphasises that investment in technology such as firewalls and antivirus protection is essential “good housekeeping” practice at the start of the security journey, firms should avoid throwing money away on IT security products as a knee-jerk reaction.

This is especially true, the report says, for companies that have matured from the “denial” phase into the phase of constant “worry”, where investing in the latest technology can be viewed as the perfect solution.

This common mistake, the report says, can make firms a target, not just for cyber criminals, but also for over-zealous security suppliers.

The report also argues that overly complex IT architecture can worsen security gaps, particularly if the technology deployed is too difficult to use or there is a lack of integration.

David Ferbrache, technical director in KPMG’s cyber security practice, said the recent spate of cyber attacks is keeping cyber risk at the top of the business agenda and driving security investment.

“The business community needs to avoid knee-jerk reactions because cyber security is a journey, not a one-size-fits-all issue, and getting the basics like patching and backup right matters,” he said.

“It’s important to build a security culture, raise awareness and remember that security needs to enable business, not prevent it.”

Adapt cyber defences to changing threats

Once companies have invested in a wide range of security technologies and put security processes and policies in place, the report warns this can lead to “over confidence”, which can leave them vulnerable to more targeted attacks and insider attacks.

The report recommends that any company that believes it has all the basics covered should relook at its policies, question assumptions and investments, and ensure that all the risks are understood.

One of the key “hard lessons” to be learned, says the report, is that there is no such thing as absolute security.

“It’s not until you’ve been attacked that you realise: it’s part of business in a digital world. No system is perfect. And so that is when firms think more about cyber insurance as they try and soften the blow from a more extreme attack,” the report says.

In this “hard lessons” phase, organisations also tend to begin planning for major incidents, they start conducting cyber exercises, and as a result cyber defences become more responsive. “They’re less about process and compliance, and more about responding to an ever-changing and adaptive threat,” the report says.

True leaders think differently about security, seeing it as an opportunity, enabler of digital transformation and as a business unit, not as a cost centre, the report says. They assess the risk and understand how to apply scarce resources to what matters most, realising they cannot secure everything.

Security leaders, the report says, are involved in building new services, and tracking and monitoring their security to adapt their defences continually to deal with the changing threat.

“But most importantly, they realise that people are at the heart of security. It’s not just about teaching them, but about understanding people and their behaviour, so that you can spot the unusual and the different,” the report says.

View security as a business function

Although cyber security issues are increasingly discussed at board level, the report claims that those discussions are too infrequent and are treated as a separate and disconnected issue from broader operational risk.

“All too often, the issue of cyber security is not incorporated into the overarching business strategy,” the report says.

Criminals, state attackers and casual hackers do not respect boundaries, the report says. “So true leaders build communities of defenders, consider the mindset of the attackers, and see value in making their lives more difficult.”

“It’s important to build a security culture, raise awareness and remember that security needs to enable business, not prevent it”
David Ferbrache, KPMG

The report concludes that, from the board down, organisations must change how they see cyber security.

“The mindset and models will just keep us saying the same things. It’s not sustainable. These myths will become traps, unless we make security another thing we always think about,” the report says.

The role of the chief information security officer (CISO) is shifting from “guard dog” to “guide dog”, the report says. “They are moving into roles which mean they need to start thinking about how security affects bigger business decisions.”

With criminals getting increasingly creative about finding the weakest link, Ferbrache said CISOs of the future need to care about digital risk, help the business seize opportunities and build cyber resilience.

Security recommendations from BT and KPMG

  • Get the basics right, starting with good housekeeping to address the majority of issues.
  • Make sure everyone has a responsibility for cyber security.
  • Focus on protecting the most sensitive information.
  • Continually raise awareness about cyber security issues.
  • Understand how defences protect against actual threats and fill in the gaps.
  • Plan to respond to common attack scenarios.
  • Regularly review company security strategy and underpinning policies.
  • Ensure that security policies and awareness is carried over to suppliers and contractors.
  • Include cyber in the business recovery strategy.
  • Align the approach to security with the business strategy.
  • Focus on good governance processes and the proper integration of technologies.
  • Consider outsourcing some less critical aspects of security to a trusted partner.
  • Become part of a security community and share experiences and security intelligence.

Read more on Hackers and cybercrime prevention