How can FDs know whether they’re just a victim of ‘cyber security hype’ and paying more than they should out of fear, asks Ed Ainsworth, co-founder of 4C Associates
CYBER SECURITY is one of the biggest issues for all companies with reports claiming it costs organisations between $400bn (£279bn) and $500bn a year.
CEOs and their boards will already be asking, do we understand the threats our company is facing? And, do we have the right defensive strategy in place? They will be looking for support from across the organisation – finance, procurement, IT and operations. But how can FDs know whether they’re just a victim of ‘cyber security hype’ and paying more than they should out of fear, or are they spending enough; running a risk and inadequately protected?
Watch now: In an exclusive interview with Financial Director, Andrew Bonfield, CFO of the National Grid and Chair of the 100 Group, discusses cyber security.
Cyber security attacks range from the sophisticated international state-backed type such as the attack on Sony, to the ‘bedroom hackers’ as we saw last year with TalkTalk. The unavoidable conclusion is it is now a matter of ‘when’, not ‘if’ we will be a victim of an attack. This risk includes highly professional teams operating from the fringes of Eastern Europe or East Africa.
We hear many warnings of new types of more complex attacks and the Internet of Things (IoT) opens up new areas. For example, Wired Magazine recently reported on the ‘Zombie Botnet.’ Instead of hackers hijacking your laptop, they commandeer large networks of IoT devices—like CCTV surveillance cameras, smart TVs, and home automation systems. Nearly all businesses now have a high reliance on interconnected technology. For businesses that are IT reliant the protection of data and functional capability has become mission critical.
We have seen an abundance of cyber security breaches reported and incidents are increasing daily. Some of these breaches involve millions of records and can lead to very significant financial exposure for the breached parties.
Due to the rise in business criticality of cyber security (and increased regulatory pressure), the decision making process has inexorably progressed to the board table. The incumbent cyber services and product sets are still intrinsically technology focused and often promoted on the basis of fear and insecurity, even with informed questioning, CEOs can often find themselves making decisions with too many grey areas. Advice at board level is often limited and inexperienced.
The characteristics of a category of overspend
Cyber security has all of the characteristics of a category of overspend; the solutions aren’t clear and well understood, there are many standards, the problem can change rapidly and the ultimate decision makers are usually unable to make informed decisions. It’s an exciting purchase and there are legitimate reasons for questioning the need for normal procurement scrutiny.
Additionally, too often, large legacy software license contracts (such as anti-virus) may or may not be providing good value against your current asset/threat/risk assessment and there may be opportunity for cost reduction with a simple contract review.
To effectively optimise cyber security we must move away from the legacy ‘tick-box’ methodology. With a lot of cyber security services evolved out of IT services, this route has also contributed to legacy over-spend and is due an overhaul. By utilising a clear framework approach to asset priority and value and then overlaying protective measures you can extrapolate a company’s ultimate financial exposure.
This data then allows a financial, not technical decision making process for cyber security spend, clearly a better decision for a non-specialist board. The best practice is to use a structured four stage approach, informed by an understanding of the market offer for both services and insurance.
Firstly, identify what assets are at risk and where they are based (physical /cloud/hybrid/server)?. Then work out the actual cost of a potential attack and what are the assets with most value to protect?
Next, carry out a threat assessment. What are the most likely attacks and how can these be mitigated? What’s the current level of cyber risk that the business faces?
Then restructure spend and identify solutions and suppliers to quantifiably reduce exposure, spend or both. What alternatives are there to reduce risk that don’t require expensive solutions? What’s the average cost of cybersecurity spend compared to your needs?
Finally, identify who needs to be involved in the set up and ongoing solution, including your procurement and finance managers.
Once you have identified assets, assigned relative value and protective measures there is a final step for mitigation and this is financial, not technical. A carefully tailored cyber insurance policy can be a very effective mitigation partner. Areas that are often covered by cyber insurance include, cost of informing customers, loss of business, PR and communications and disaster recovery.
Using this approach cannot illuminate the risk to you from cyber-crime. However, it will minimise the risk and insure that you are focusing your resources on the areas where you will get the most protection. Any other approach will be too risky.
Ed Ainsworth is co-founder of 4C Associates, a procurement consultancy specialising in business transformation, cost savings delivery and managed services.