COMPUTER hacking, ransomware, data breaches, fraud: cyber crime is a bigger problem than ever, and is a concern for everyone, from the humble consumer to the largest of corporations.
Cyber warfare has even emerged as the latest military battleground – attacks on government agencies have increased, and both China and Russia have been accused of state-sponsored cyber hacking against the west and its allies.
In light of the rising number of high-profile cyber incidents, so too are boardroom executives engaging more and more with the problem.
“We are finally seeing more constructive board engagement in the topic of cyber security now than we did previously,” says David Ferbrache, technical director of KPMG.
“High-profile instances of attacks, mainly data breaches but also ransomware, are keeping cyber towards the top of the agenda.”
Ferbrache makes this claim based on the results of a new survey of chief information officers (CIOs) published by KPMG and recruitment agency Harvey Nash earlier this week, which uncovers the changing business priorities and issues facing some of the world’s biggest organisations.
The survey is based on the responses from almost 4,000 CIOs, from businesses with a combined annual cyber security spend of up to $46bn.
The survey of CIOs, who are responsible for the IT and computer systems of their company, found that their top priorities are (unsurprisingly) improving business processes and delivering stable IT performance. But notably, making improvements to their company’s cyber security is becoming their fastest growing priority. Just under half (49 per cent) of respondents listed it as a key business issue, compared to 40 per cent the year before.
The reason for this is not just because of heightened media attention on cyber crime, but also the increased monetary – and reputational – costs of a successful attack.
The General Data Protection Regulation (GDPR), which came into force in May, means that data breaches can lead to fines of up to €20m or four per cent of annual turnover if a company fails to identify and report the breach, or wasn’t complying with its obligations in regards to data security.
This combination of GDPR and high-profile incidents means that businesses are taking cyber security more seriously, according to Ferbrache.
“For a lot of clients we’re dealing with, we’re seeing a bit more maturity in those board discussions now. It’s passed from ‘how do I keep myself off the front page’ into ‘what do we need to do within the firm, and how do we make sure we’re putting the right challenge in to the executive in terms of their cyber security and privacy response’ – and that’s a positive thing.”
But despite these concerns, the survey found a worrying number of organisations felt unprepared. Only 22 per cent of those surveyed in April said they were well-prepared for a cyber attack, while some 38 per cent admitted they expected they would not be GDPR compliant by the deadline – which has now passed.
There are many factors behind this lack of preparation, but one in particular stands out. The vast majority – 65 per cent – of CIOs reported a skills gap, especially for candidates with “security and resilience” abilities, which experienced the biggest jump in demand to 35 per cent from 28 per cent the year before.
There are a number of solutions to this skills shortage. Businesses can retrain people internally to foster talent, or can reach out to schools to promote a career in STEM, especially to young women who may otherwise be discouraged due to perceived stereotypes, in order to widen the pool of potential candidates.
But these are long-term strategies, and businesses need to do something in the meantime to prepare against cyber attacks now.
Businesses can undertake structured exercises to test how they would react and respond to an attack, what measures they would take to get back on their feet, as well as how they should deal with subsequent regulatory issues and communicate the problem to customers. Ferbrache also gives general advice on what organisations should be doing to be more prepared.
“Getting the basics right still matters. That’s simply having an antivirus, firewalls, good user and password management. Getting those basic things right will stop a lot of attacks and is well worth doing.”
The changing nature of these attacks is also a cause for concern to many CIOs. For most people, when they hear about cyber attacks, they might imagine individual criminals acting alone, or think of hackers who treat it as a “sport” and are only breaking into organisations for bragging rights.
But the amateur hacker is far down the list of fears for CIOs – instead, the survey found that 77 per cent of these IT leaders are most concerned by the threat of organised cyber crime, up from 71 per cent the year before.
Organised cyber crime can take many forms, from ransomware attacks, like last year’s WannaCry assault which targeted systems around the world, to phishing scams and fraud, as seen in the aftermath of the recent TSB meltdown.
Ferbrache adds that organisations increasingly have to deal with cryptocurrency malware – hackers are infecting computer systems with code that causes a device to begin mining for cryptocurrency such as bitcoin that goes to the hacker, which diverts computer power away from its business function.
“From what we are seeing, the ‘battleground’ is all transnational, quite industrialised, and increasingly supported by an effective black economy of tools, targeting and attack methods, with quite a good monetisation and cashout structure as well. We tend to see that as the biggest threat to most of the firms.”
Overall, the survey points to how the scope and cost of the cyber threat is widening, but at least indicates that the executive boardroom is grappling with the issue seriously.
If CIOs and their tech teams can close the skills gap and cut down on talent shortages, and make sure they’re doing the fundamental things right, hopefully they will be better protected against an attack, and cyber security might start to move down the list of urgent priorities.