Managing cyber risk requires change of mindset says expert
IBM’s view is that we are moving towards a ‘smarter planet’, that there is more digital ‘stuff’, more of it is interconnected and it is more complex than ever before. With that complexity, of course, comes more risk, which increases exponentially the more things are connected.
Mr Wilson considered some of the newer cyber risk issues. On cloud computing he said that ‘although the commercial issues have largely been sorted out, the security issues have not yet been resolved.”
He also pointed to the risks involved with social media, which is having a staggering impact on business enterprise. He highlighted the potential damage that can be done to brands and reputation by social networking. For example when people who are not customers, or who had never bought a product from a company, submit a bad review of an organisation or product on social websites. Indeed, these could be people being paid to damage the company’s brand or reputation, he pointed out.
hide
Another major risk is fines for non-compliance on cyber-related regulation. He stressed that there are numerous specific and cross-sector regulations and standards that exist, and more are on the way. He said that claiming you were unaware of the regulations is no defence and often just makes the fine larger.
According to Mr Wilson, some of the fines that are being handed out can be huge and potentially more damaging than a security breach. HSBC was fined $1.9bn, Standard Chartered was fined $340m and RBS was fined $87.5m. He talked of another high street bank that has put aside $600m for the first half of 2013 just for anticipated fines.
The potential threat of incarceration, together with personal fines, has got CEOs’ attention on cyber risk, he added.
Cyber risk is not all about the huge attack, the closing down of websites, or the theft of huge databases. It is also about what he called ‘data leakage’-the slow leaking of data from a business that isn’t spotted and goes unnoticed.
Many companies that he worked with said they were quite confident that they weren’t being hacked and that everything was secure. “But, in fact, they are being hacked slowly, gradually ‘bled to death’, because the level of the attack is at the leakage level, with a small amount of the right type of information being taken on a regular, unnoticed basis,” he said.
Equally, the threat does not just emanate from data. What is more valuable to ‘the bad guys’ is data that is turned into information, said Mr Wilson. Information that is turned into intelligence by market analytics and the like is particularly valued. That is what attackers are often after, and this is generally not as well protected as the raw data.
As far as managing the risk is concerned, the aim, he said, should be to move from basic security to security intelligence, where you intuitively know that something not right is occurring.
“The security intelligent environment is able to recover ‘on the fly’ and minimise the damage to the operational business,” he explained. “I would love to say that everybody does the basic stuff, but they don’t which is why we keep hearing about data breaches and so on. We think there is a need to move from the basic reactive stance to the pro-active security intelligence stance.”
In terms of achieving security intelligence, he had a three-point plan. Get informed, which means taking a structured approach to assessing IT risks. Get aligned, by implementing and enforcing security excellence across the extended enterprise. And get smart, by using analytics to proactively highlight risks and identify, monitor and address threats.