In a speech earlier this month, Richard Horne, chief executive of the U.K.’s National Cyber Security Centre, said that the organization believed the severity of the risk facing the country was being widely underestimated. “There is no room for complacency about the severity of state-led threats or the volume of the threat posed by cyber criminals. The defence and resilience of critical infrastructure, supply chains, the public sector, and our wider economy must improve,” he added.
Launching the NCSC’s eighth annual review, Horne — who was appointed to the position earlier this year — said that since taking on the role he had been struck forcefully by “the clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in place to protect us.” He stressed that there was a clear need to “increase the pace we are working at to keep ahead of our adversaries.”
He concluded that it was no longer enough to talk about being resilient. All those involved needed to take crucial steps that bolstered defences and improve the capability to combat cyber threats. It was also important to build the ability to continue and recover when attacks did succeed.
Fortunately, many in business have begun to acknowledge that cyber attacks are not isolated incidents and can have significant effects in terms of costs and reputation. As a result, they are spending increasingly substantial sums on technology designed to protect themselves. This is helpful to a point, but technology is only part of the problem.
Cate Pye is global head of cyber security at PA Consulting, a management consultancy. She explains that the firm has adopted the notion of “digital trust” because it believes it is “what you need to build as an organisation so that people internally and customers trust what you are doing with their data.” If not, she says, “they will vote with their feet.”
Hitherto, cyber security has largely been seen as an issue of technology, with IT departments at the centre of the battle to protect organizations from a problem that last year cost $2 trillion. But there is an increasing awareness that the human element is crucial, too. As Pye says, the notion of digital trust is “a core change in mindset.”
Mike Britton, chief information officer at Abnormal Security, the San Francisco-based company specializing in protecting organisations from cyber attacks based on email, also points to the importance of trust and human behaviour. Stressing that “the cyber threat will be here as long as we have email,” which he says was never designed to be a secure form of communication, he points to the need to understand the trade-offs between usability, productivity and risk. The increasing use of personal devices for work has created a particular problem, which he counters by making it “super easy” for Abnormal employees to operate within the corporate environment, but “very noisy and difficult” to do so outside it.
An approach being increasingly widely adopted is to apply the long-established concept of scenario planning to the issue, with teams put through exercises that alert executives to the dangers and help them plan appropriate responses. One of the leaders in this area is Immersive Labs, a U.K.-based company left by James Hadley, a Forbes contributor who was formerly at the GCHQ cyber school.
Pye has had extensive experience of cyber security in both government departments and in the private sector. She says there is a need for robust systems and also “people who are cyber-savvy.”
While increasing regulation is helping board members focus on cyber risks, the real issue is changing individuals’ behaviour so that they are more aware of how, for instance, simply opening an attachment in an email can create a breach. Moreover, with more and more people working outside conventional offices on hardware that might not be totally secure, the chances of such an incident become much greater.
By carrying out regular exercises, organizations can become better prepared in much the same way as fire drills help them deal with more conventional emergencies. In addition, individuals have the benefit of shared experiences. The idea, says Pye, is “to build muscle memory, so it’s not quite automatic, but you know what you need to do.”
The best exercises, she adds, will see technology and cyber teams respond to a realistic cyber incident at the same time as escalating the important decisions up through management to the board. This provides a safe environment for the most accountable leaders of an organization to experience the challenges of a cyber incident and practise their decision-making.