Cyber security can't remain an IT issue. It needs to be addressed and filtered from the C-suite throughout the business, explains Rangu Salgame, chief executive officer of growth ventures at Tata Communications.
Government, businesses and consumers have all come under serious threat from cyber criminals over the last 12 months and KPMG has suggested that going forward we will see the most advanced attempts of hacking and cyber crime yet.
A huge boom in the cyber insurance market is expected, on the back of emerging standards. The market will evolve providing businesses with incentives for compliance, whether that is a willingness to insure or reduce premiums. And with many organisations adopting BYOD policies, it is a growing concern that smartphones and tablets have increasingly become a target for cyber criminals.
Couple this with the fact that there are not enough security experts to combat the rising threat and you can see why governments globally are alarmed. In fact, research and consulting firm Frost & Sullivan reports that the number of security professionals globally is about 2.25 million, yet the requirement by 2015 will be 4.25 million. Cyber security is now being reclassified to a tier-one national security priority, signalling that policy-makers are urging action now.
Progress is certainly being made. In an update on the progress of the government's two-year old cyber security strategy, Francis Maude, a Cabinet Office minister, said GCHQ is increasingly looking to British small and mid-sized organisations to recruit staff and increase cyber security expertise. In addition, more than 250 companies have joined the Cyber Security Information Sharing Programme (CISP) which encourages businesses to share problems and expertise in dealing with threats, which is a step in the right direction.
Despite businesses spending heavily to build cyber fortresses over the last 15 years, cyber attacks are still happening, and coming from a multitude of directions – including attacks from cyber criminals (traditional hackers and hacktivists), espionage-type incursions, and data leakage where information is taken from an organisation and purposefully or inadvertently put into the wrong hands.
Given the variety of attacks, all with bespoke motives, cyber security needs to go hand-in-hand with enterprise risk assessment as it can directly affect both operations and the broader brand or reputation of a company, often resulting in significant financial repercussions. What we now realise is that IT security solutions alone are no longer enough. And this takes cyber security out of the realm of being purely an IT department's responsibility and makes it a must-have agenda point for the boardroom table.
Key issues that those on the board must understand are the motives behind potential cyber attacks – what information do the attackers want to glean? Every company is unique. Only when this insight is understood can the right business decisions and investments be made. A comprehensive defence system ultimately comes from an overarching strategy developed by businesses leaders. Now is the time to act.
Think about how you can encourage employees to take responsibility for the protection of their own data. Introduce training programmes to educate your workforce and dispel some of the myths around cyber security. Set up learning sessions to ensure employees are fully aware of the procedures they should be implementing day-to-day when using mobile devices or transferring sensitive information. It may be necessary to bring new talent into the organisation. After all, increasingly tech-savvy younger generations think in a much more integrated way when it comes to using technology in their daily lives.
The underlying message is that the threat of cyber attacks is increasing and C-suite leaders must not only brace themselves for potential hacks, but also prepare their organisations fully for the eventuality. Ensuring immunity from cyber attacks is almost impossible, but risks can be minimised. We're witnessing a whole new world of communications where the problem of cyber security can no longer sit siloed in the IT department. It must be communicated throughout the organisation.