Persuading the board

Do business leaders still need convincing that cyber-security matters? Riaz Lakhani at Barracuda Networks thinks that they do, and explains the steps you can take to persuade them

 

Cyber-attacks that involve high profile targets and big numbers invariably make headlines. A recent example is United Healthcare’s $872 million cyber-attack. But while the reporting of such incidents helps to raise awareness of the harm cyber-attacks can do, it may also create a false sense of security among smaller or less well-known companies that find it hard to believe anyone would spend time or money targeting them.

 

Just over a third (35%) of small business IT security professionals surveyed for a recent Barracuda Networks international study worry that their senior managers don’t see cyber-attacks as a significant risk. They are right be to be concerned. IT security pros know better than anyone that every business can be hit by cyber-criminals, and it doesn’t matter whether the attack is deliberate and targeted, a “spray and pray” mass attack or just sheer bad luck. You need to ready for anything – from anywhere.

 

For example, the spear phishing emails that preceded the 2018 Olympic Destroyer attack on the Pyeongchang Winter Olympics, hit several completely unrelated companies whose domain names resembled the target’s. These included a wood company in Slovakia and a real-estate office in Germany. 

 

In this article I want to consider why any business leaders should give up their time to listen to me in the first place. 

 

Cyber-security is a business issue

Most organisations don’t want to fail. They want to thrive, grow, and expand. This requires a solid financial foundation, with robust resources, investments, and investor trust. A security breach will disrupt all of this.

 

Security breaches can be expensive to deal with and fix. Our research found that for UK organisations the average annual cost of dealing with cyber-security incidents is around £3.6 million. This includes £2 million for the theft of IT assets, damage to infrastructure, incident investigation and remediation activity and a further £1.6 million for the cost of downtime and the resulting lost productivity and operational disruption. 

 

And that’s not all. According to the Harvard Business Review, listed companies experience an average 7.5% reduction in stock market value after a data breach, and this takes around 46 days to bounce back if it ever does. 

 

Further, audit fees, borrowing fees and insurance premiums all increase in the year following an incident, while company performance declines by around 9%. There are likely to be liability and compliance penalties for any failure to meet service level agreements or regulatory guidelines, not to mentioned reputational damage and mistrust among customers. 

 

Security professionals need to be able to explain how these financial and organisational risks can be mitigated by understanding and addressing cyber-risk.

 

Business priority	Potential impact of a cyber-incident
Growth strategy: product and service roadmap, new initiatives	Cyber-attack resulting in exposure or theft of intellectual property
Business resilience: continued operations and reliability	DDoS (Distributed Denial of Service) attack disrupting commercial activity Downtime
Financial status: revenues, reserves, cash flow	Cost of responding to and recovering from an incident Penalties for compliance violations
Reputation and customer trust	Loss of PII (Personally Identifiable Information) eroding customer loyalty Damaging PR

 

Caring about things you don’t understand

A quarter of the IT security professionals surveyed admit their leaders aren’t kept up to date about threats facing the organisation. Security professionals must get better at explaining to others the threats the company faces today and is likely to be facing tomorrow.

 

If we don’t, there is a risk that the business will fall victim repeatedly to cyber-attack, especially if the company hasn’t fully addressed the root cause of previous incidents. Our research also found that two thirds (67%) of UK organisations were hit with one or more cyber-attacks in the last year. 

 

Security is a journey

Convincing business leaders to care about cyber-risk and resilience is not a one-off task. Cyber-threats are evolving all the time, and so are the associated risks and impacts. 

 

Most respondents said attacks had become more sophisticated (61%) and more severe (54%) over the last year, taking longer to recover from and fix.

 

At the same time, many organisations face a skills shortage in professional cyber-security skills, struggle to navigate an increasingly complex landscape of security tools, need to prioritise resource allocation, and develop and continuously update their incident response plan.

 

Common, unpredictable and destructive

Business leaders need to believe that cyber-security will help the company to keep going in a world where cyber-incidents are common, unpredictable, and potentially destructive. If they understand why security matters, they will be better placed to understand what needs to be done. 

 

The good news is that most business leaders get it. They understand why cyber-security is important, but also face difficult choices in terms of prioritising budget and resources. There are trade-offs to be considered, for example between the pace of product development and security checks and integration.

 

Cyber-resilience depends as much on people as it does on technology. A security-focused company culture needs leaders who are on side and understand the risks and solutions. An engaged risk-literate leadership is one of your most powerful tools for ensuring policies, programs and investments succeed.  

 

---

 

Riaz Lakhani is CISO at Barracuda Networks Inc. He has written a guide on how to talk to business leaders about security risk, outlining the key conversations every CISO should have with colleagues on a regular basis

 

Main image courtesy of iStockPhoto.com and ProfessionalStudioImages