The protection of information is a challenging, but essential activity to support and enable business. However, it must also allow the safe exploitation of that very information, making this modern challenge a difficult one for businesses to contend with. The task is complicated further by a threat landscape that is complex and fast moving, comprising traditional threats, such as those posed by international crime syndicates, and more contemporary, insider threats. As such, it is every board’s responsibility to lead from the top, and to establish a framework of processes and procedures for managing information risk. By setting these processes, risk-based decisions can be made at the appropriate levels – ‘good’ cyber security thus stems from effective governance. European CEO spoke to Andrew Fitzmaurice, CEO of Templar Executives, about the challenges facing organisations today, and how boardroom management is key.
There is a tendency for organisations to focus too heavily on the technical aspects of cyber security, such as firewalls and encryption methods
How has the cyber threat landscape changed in recent years?
As cyberspace opens up increasingly to international players with little to no traceability, global businesses are waking up to the criticality of the dangers posed. With almost daily reports of business interruption, data theft and hacktivism, to name but a few, the implications of escalating cyber incidents are hard to overlook. Equally, the threat posed by both malicious and non-malicious insider activity makes a compelling case for prioritising comprehensive planning throughout all aspects of operations, from personnel training to strengthening ICT systems. That being said, the traditional approach of designating responsibility to the ICT department is becoming outmoded, as attackers now transcend traditional methods, using innovation to strike unexpectedly against unprepared targets.
What are the biggest threats for businesses?
Information is the crown jewels of any organisation. Cyber attacks can cripple an organisation’s ability to operate by allowing unauthorised access to, or exfiltration of, data from their ICT processes and systems. One of the key success factors for any organisation is achieving a proportionate level of cyber security and a clear understanding of the range of risks to its information.
Cyber security and information assurance (IA) are business functions, encompassing a wide range of media, from the spoken voice to firewalls, which means that managing and monitoring them can prove challenging. All those who handle information related to the business, essentially the entire workforce and any external parties that the business deals with, have a responsibility in ensuring the safety and security of that information. This opens the business up to a range of vulnerabilities, as the insider threat (posed by wilful individuals or by accident) becomes potentially very damaging.
Attacks have the ability to create widespread disruption and can affect brand reputation, reducing share price and stakeholder confidence. Likewise a malicious or non-malicious cyber attack caused by an insider could have immediate and far-reaching implications, potentially resulting in serious financial and operational impact, regulatory non-compliance, or even worse.
Are company directors adequately informed about the risks?
According to the BCS report of February 2015, titled Cyber security: responding to the changing threat, 73 percent of businesses believe that they are capable of repelling cyber attacks. This attitude shows the complacency organisations have surrounding risk. The threat landscape is dynamic and constantly evolving, making it a challenge for company directors to keep updated. Unfortunately, there is still a significant number of directors who fail to fully grasp information risks, or their responsibility to mitigate them, and therefore naively delegate their responsibility to the ICT department, instead of treating it as a business issue.
Instead, company directors need to lead by example, and be actively aware and informed of the evolving risks in order to be in a strong position to drive corrective action. Part of what Templar offers is a unique, holistic approach to enhance cyber security through up-skilling leaders, by developing their own knowledge and capabilities, as well as helping them to safeguard their businesses against ever-increasing cyber threats.
What is it that differentiates Templar from its competitors?
Templar Executives has ten years of global experience in supporting and protecting governments and industry from the evolving threat of cyber attacks. We take a holistic view of cyber security and IA, protecting clients from the full range of cyber threats, identifying network vulnerabilities, and also helping to develop policies and procedures to ensure that information is managed safely, recognising that people are central to an effective digital defence. Templar helps clients to fully understand the cyber threat landscape and to implement both technical and cultural change in order to optimise safe and secure business practices. We draw on our dynamic and highly skilled team of discreet cyber security and IA specialists to bring an unparalleled breadth of experience that delivers truly holistic security capabilities.
What are the biggest challenges in the cyber security market?
Cyber security needs to be business-led and must speak business language, yet those who typically deal with cyber security on a daily basis, have developed their own taxonomy that is often not boardroom-friendly. The development of the role of chief information security officer (CISO) helps to overcome this challenge; we regularly train CISOs so that they can speak a common language that everyone can understand, which also helps to convey the message that cyber security is everyone’s responsibility.
There is a tendency for organisations to focus too heavily on the technical aspects of cyber security, such as firewalls and encryption methods. While these are an aspect of good practice, focusing on them too much can overlook the human aspects. A large proportion of cyber attacks are the result of inadvertent human error, with many individuals bypassing security policies because they believe they can find a more efficient way of getting the job done. This is a common issue, which makes it important to explain the consequences of such actions, and why compliance with company policies is crucial.
What are Templar Executives’ ambitions for the future?
Templar Executives has a clear goal: to be recognised as the trusted provider of choice for boards around the world. We are making great strides to achieve this through the launch of our new Platinum Board Level Service. This service has been well received by our current clients, and we are actively being sought to assist others in understanding cyber security.
Cyber security is a leadership issue; our Board Level Service is designed to allow business leaders and owners to demystify cyber security through discussing governance, risks and mitigating activities in complete confidence. By providing this expertise, combined with specialist knowledge of cyber security, Templar is achieving the ambition of being a trusted advisor to boards and business enablers. This also supports our second ambition – to plug the current skills gap that exists in the marketplace and to support the UK’s Cyber Security Strategy, making the UK the most secure place in the world to do business.