By Mike Maddison, EMEIA Cyber Security Leader, EY.
There’s a new way of thinking about cyber security.
New security approaches are moving from thinking about cyber security as a defensive approach, to a source of competitive advantage.
With Boards looking at how to protect, optimise and grow their businesses by sustaining IP, assets and brand, here are four ways to position your cyber security strategies for a distinct advantage.
1. Have a quantifiable risk
Just thinking about cyber security defensively makes it hard to understand the value of security investments. By putting a value on data risks, you can start to think about cyber security in terms of ROI.
The Board want to know what an appropriate response is in the context of the business.
Today, the effects of suffering a data breach can include a 6% drop in share price or losing 100,000 customers, as we’ve seen with recent company cyber-attacks. It can mean spending too much, on too many tools, or not making a move in the market.
By measuring business risks, and outlining security investments in terms of revenue, share price, brand and valuation opportunity, and not just as a cost, you can start to have a better grip on the extent of your cyber security advantage and ROI.
2. Make it a team sport that everyone is a part of
The number one cause of large security breaches remains phishing according to our global information security survey of over 1,200 companies. On mobile devices, phishing attacks have increased 85% year on year for the last seven years. Therefore, you are still more likely to be vulnerable by a member of staff clicking on a rogue email than anything else.
This is often the result of a lack of cyber security awareness. Whether be through generic malware, scams related to fake LinkedIn profiles, or hacks on public Wi-Fi as staff attempt to watch highlights of this summer’s World Cup on their mobile devices.
As per our EY technology, media and telecoms survey, Scoring goals in FIFA World Cup viewing, 59% of consumers are expected to watch the tournament, and 31% believe watching it on their smartphones will be a good viewing experience. Therefore, developing a culture where staff at all levels understand how to protect data and systems, including mobile devices, through up-to-date training, drills and regular communication, will help build and maintain a cyber security advantage. And not just during the World Cup and at major events, but at all times!
Cyber policies are vital as a living, breathing reference to help manage a fraught and fast-moving situation, yet these aren’t effective if staff outside of the cyber function don’t know about them.
By embedding a cyber conscious culture that heightens awareness and behaviours amongst all employees, this can help you pull ahead of the competition, instead of scoring an own goal.
3. Keep to a small window for damage control
The UK’s national cyber security agency recently described a need to act collaboratively and collectively against cyber threats, urging organisations to raise the bar.
Cyber threats don’t respect borders, jurisdictions or organisational boundaries, and there is a small window to minimise the damage.
Speaking at InfoSecurity Europe last month, I discussed with a panel of global CIOs how under GDPR, the new mandatory 72-hour breach reporting could be too long of a timeline in the court of public opinion, and focusing on the first 2 to 5 hours instead, could provide a much needed step advantage.
Outlining key stages of your breach response in the first few hours across functions from IT, security, PR to legal, and identifying at which points to get an external view, could make the difference between a forgiving public or not, when you are having to appear on Newsnight.
As we start to see more threats and regulations emerge across the world, how businesses come together, under extreme time pressures, will provide much needed collaborative and competitive gains.
4. Use different approaches for evolving risks
Cyber risks aren’t constant. The nature of the risks are constantly changing. That means resources to fight it can’t be allocated on a set basis.
Increasingly, cyber security requires bringing together a wide range of capabilities to deliver business value.
Whether be through enhancing cyber resources with new skillsets, leveraging emerging technology from hardware authentication, virtualised intrusion detection, through to using AI and machine learning.
With cyber security increasingly becoming a competitive battleground, that’s all the more reason to start thinking about how your company can build an effective cyber security advantage.