Millions of pounds lost, brand integrity compromised;,and, potentially fatal, disruption of service -the cyber-threat is growing daily. Yet the March 2016 Policy Report from the IoD indicated that only 49 percent of companies provided cyber-security awareness training. For technical staff the laggardness of management confronting the cyber-threat can be disheartening. Not least because the influence senior managers have on the culture of an organisation is a crucial factor in whether or not cyber-security awareness runs throughout the whole organisation. It is worth wondering why “they” - the bosses, managers and executives don't seem to “get” it, despite countless examples of the consequences of being hacked or having data integrity compromised.
The average age of a manager in 2016 is approximately 45 and the average age of a FTSE 100 company director is 52.8. Academic research suggests that the technology prevalent during an individual's early 20's defines their technological generation. So, born in about 1971, graduated around 1993, what would be your technological norm? Microsoft Windows 3 came out in 1990; Mosaic in 1993 – the same year the Web made its debut. At the time many companies couldn't see the value of the Web apart from as a marketing tool. In the 'C' suite of leadership positions the chief executives, chief operating officers and the rest are that bit older – from an earlier technological generation. Of course their learning can, and will, have kept pace with developments in technology. But maybe those involved every day in cyber-security assume that business leaders' knowledge and understanding is as fresh and acute as theirs. It is not.
Viv MacDonald, cyber-risk awareness leader, Ascot Barclay
For non-technical business leaders – children of the pre-web generation and digital immigrants – the mind-set required to appreciate and respond to the threats posed by cyber-security doesn't come naturally. It has to be learned. Put another way, the bestselling toy in 1973 – when many directors were 10 years old – was the Mastermind board-game where a 'code maker' arranged four coloured pegs in a pattern and the 'code breaker' has 12 goes to crack it. In 2015 the National Crime Agency suggested that the average age of a hacker was 17 – they were probably playing Call of Duty, Minecraft or Super Mario (which all came out in 2009) when they were 10.
Cyber-security specialists agree on the need to educate non-technical business leaders, but with only 49 percent actually providing training to their staff it appears the message is not getting through. One key development would be to ensure that management understands that cyber-security is not somehow an exclusive IT issue, it is a whole team issue. It is an issue that should matter from the receptionist, to customer services and, most importantly, to the main board. Viv MacDonald, cyber-security risk workshop lead at Ascot Barclay Group, states she is “not suggesting that the way to do this would be through gamification based on the Mastermind (board game).... rather that for the message to be embedded it should come in a context which is clearly relevant to senior (older) executives”.
Some accounts of the recent Panama Papers leak mention not just that the email servers had been compromised, but that there were configuration problems, inconsistent use of encryption and some outdated code. I know lots of senior directors who, at this point in the story, will have labelled it “IT's fault”, and also possibly something they simply can't imagine happening to them. However, if you asked them how keen they would be to have their accounts managed by Mossack Fonseca there might be a muttering about reputation and loss of confidence in a brand.
Most directors also understand the bottom line. Last year UK government figures put the cost of a breach in digital security at between £75,000 to £311,000 for the 74 percent of SMEs that reported a breach. For the 90 percent of large companies that reported breaches the costs rose to between £1.46 million to £3.14 million. You have to sell an awful lot of extra widgets to cover those “unexpected” costs. Unexpected is in parentheses because, as well as acknowledging that cyber-security is a whole company issue, directors need to understand that a breach is not a question of “if” but of “when”. The less often “when” happens, and the better the systems for coping with breaches based on sound policies and a grounded understanding of the real threats and weaknesses, the more resilient a company will be. Until that understanding cascades from the C-suite to every corner of an organisation, the threat and consequences remain grave.
Contributed by Mike Loginov, CEO and Viv MacDonald, cyber-risk awareness leader, Ascot Barclay
 ILM Research Paper 3: UK Managers' Profile 2013