In 2007 I queried whether encryption was the “silver bullet” to dealing with cyber security; it’s a question that is still being asked today. Unfortunately, there is no single solution to this multi-faceted issue.
We are increasingly living in a digital age that provides significant economic and commercial benefits for businesses. Increased speed of communications enables faster trading systems, and the increased use of mobile and collaborative technologies allows for more efficient working, including home working. Digitisation has also led to the creation of new business models, such as Uber, Airbnb and AmazonGo.
However, there is an inherent risk in the system that we’ve developed. It’s based on an open system infrastructure originally designed to provide resilience in the event of nuclear war. The digitisation of business has been matched by a growth of criminal activities seeking to exploit that inherent weakness. The popularly quoted annual Poneman Institute report indicates the cost to UK business increased by 14 per cent in mean value in 2015 – and that small organisations bare a proportionately higher cost than large companies.
Every threat brings new opportunities and ICT companies are keen to promote products as providing the single solution for dealing with cyber security. Unfortunately, technology is frequently dependent on legacy products that were not designed with security in mind. These risks are likely to increase as criminals employ more sophisticated measures to identify exploits, which will include artificial intelligence and machine learning techniques in the near future.
Clearly, technology can only provide part of the solution to dealing with cyber security and there is a need to consider the problem from a wider range of perspectives. The most common events rely on human engineering to gain access to systems or to commit traditional fraud. Consequently, we need to change our cultural approach to privacy and confidentiality. Awareness training and testing is critical and should play a dynamic part in building business resilience.
John Chambers, CEO of Cisco, is quoted as saying there are two types of companies; those that have been hacked, and those that don’t yet know it. Business resilience planning is a common activity and should now include the preparation of a response plan for such an attack.
For example, the business resilience plan will need to include a media response plan. The TalkTalk hack and Dido Harding’s subsequent BBC interview is frequently cited to justify media training, but this should not be limited to senior executives. Social media accounts are often managed by junior staff. Protecting brand reputation may be as or more important than the technological response.
Cyber insurance is currently a nascent market: the nature of cyber-crime is changing and evolving, and insurance underwriters do not have sufficient evidence to understand the implications or consequences for businesses. Equally, the issues and risks for businesses in different sectors vary. Business resilience planning plays an important part in obtaining the right insurance and, since the Insurance Act 2015 came into force, an increasingly critical role in meeting the information obligations of a business.
Like the cut of a diamond, achieving good cyber resilience is multi-faceted: it needs to consider available technologies and system engineering, the human machine interface and social engineering, the consequences of a successful attack including reputation management, and it needs to be backed by insurance that is relevant to the nature of the business. If there is a “silver bullet” to dealing with cyber security it lies in the conduct of good due diligence and the development of a comprehensive business resilience plan.
Stewart James, a partner in the commercial team at Ashfords LLP.