Kathy Gibson reports from Kaspersky Labs’ conference in Lisbon – Companies can no longer hope to remain free of cyber-security attacks because they have been and will be attacked. The challenge now centres on whether they know about the vulnerabilities, and what they are doing to prevent them in future.
That’s the word from Raddad Ayoub, a partner in EY’s transformation centre of excellence in the Middle East, who warns that not a day goes by without something new coming up in cybersecurity.
“Large organisations are losing millions of dollars, goodwill and – most damaging – their reputations because of attacks,” he says. “When companies are under the spotlight because of data loss the impact is almost unquantifiable.”
Government organisations are also under attack, he adds, typically because public organisations in the region are typically those that own and manage critical infrastructure.
“If you are in business today, it is no longer possible to conduct business with an absolute assurance of cyber-security,” Ayoub warns. “And, with organisations relying on a vast amount of digital data to do business, cybercrime is growing ever more damaging to organisations and their brands.”
The interconnectivity od people, device and organisations opens up new vulnerabilities, he adds. Meanwhile, new technologies, regulatory pressure and changing business requirements call for more security measures.
“What companies used to know and do to protect their most valued information is no longer enough,” he says. “It is getting more difficult to get ahead of cybercrime. There is a lack of skills, lack of budget, lack of agility, with more
threats and a disappearing perimeter.”
The EY 2014 security survey found that cybercrime today is big business. Most of it is organised crime, with some of it state sponsored. And the groups carrying out attacks are patient and sophisticated.
The cybercriminals take advantage of vulnerabilities in the entire operating environment, including people and processes.
Meanwhile, operational technology systems are often targets for cyber criminals and is the highest risk in the region.
For organisations, cyber security needs to stop being an IT issue and move into the boardroom as a business issue, Ayoub says.
“It is important for companies to change the ownership and accountability of security,” he says. “Security is not fundamentally an IT issue; it is a business topic.”
The security agenda is shifting in most organisations, he adds. Currently, 20% of companies now believe it is a topic for the CEO to handle; 28% say it should be a CFO issue; and 25% believe it is the responsibility of the CIO.
“But boards are challenged by the topic of cyber security,” Ayoub says. They have to deal with a crowded agenda, with pressure in all areas – and often, they simply don’t have time to talk about security and, when they do, it gets fleeting focus.
In addition, security is usually delegated to the IT department, and thus remains siloed.
For boards, the risks associated with IT are difficult to gauge, it’s hard to predict the threat. This makes the risks and potential impact difficult to understand or to quantify.
In addition, the pay-off for security is “invisible”. With scarce resources, it is a difficult decision to make to invest money, people and time to achieve an unknown and unpredictable benefit that technology people battle to communicate,
EY recommends a three-stage approach to cyber-security threat mitigation, consisting of activate; adapt, anticipate.
In the “activate” phase, companies would establish solid foundations. In this phase, security would be bolt-on, focussed on safeguarding the current environment and static approach.
Companies in this phase agree that they need to improve their security, and need to look at setting up a security operations centre (SOC).
In the “adapt” phase, businesses must constantly change, adapting to a changing business environment and to the evolving threats that come along with those changes.
In this stage, companies would add a number of features: built-in security, a focus on the changing environment and a dynamic approach.
In the “anticipate” phase, the final stage of cyber-security protection, companies will be in a state of readiness, able to anticipate what’s is likely to happen and to prepare, act and respond accordingly.
To this means shedding the “victim” mind-set of operating in a perpetual state of uncertainty and anxiety about unknown cyber-threats. It means building awareness and advanced capabilities, developing a compelling strategy and installing cyber-security components throughout the business. It means promoting confidence in the organisation’s ability to deal with cyber-crime.
To be in this stage, organisations need to have built-beyond security; a focus on the future environment so they can continually learn and evolve; and a proactive approach.