CBI calls on UK firms to put cybersecurity on board agendas

Brid-Aine Parnell

Monday 6 July 2015

Speakers at the inaugural CBI Cybersecurity Conference have confirmed the belief that cybersecurity is a risk that needs to be managed from the top, just like any other business risk.

The Confederation of British Industry (CBI) recently gathered government and industry experts together in London for its inaugural Cyber Security Conference, impressing on UK firms that the issue needs to be on board agendas, not restricted to the IT department.

Speaking at the conference, Matthew Fell, policy director at CBI, insisted that getting cybersecurity right was critical for modern businesses.

“As the global leader in ecommerce, the UK stands to reap huge rewards from further developments in technology, given the trends in the way we interact, and all at the tap of an app,” he said.

“But with that opportunity for all of us here today, there is a risk to be managed. With our IP, finances and our customer relationships all inextricably linked to technology, we must take steps to protect our online assets.

“Awareness of this critical business risk has risen in recent years, especially as the number of prominent cyber hacks hitting the headlines has sharply increased. Unfortunately, even as awareness in the business community has increased, with a small uptick in action, there is still a disconnect between awareness and action – especially for our high growth small and medium-sized businesses, who are at just as much at risk as global brands.”

The half-day of sessions featured keynotes from companies like SophosCGI and NCC Group, as well as examples of the latest kinds of cyber-attacks and run-throughs of how to respond to intrusions. Throughout, the message from all parties was that the IT department needed to be able to impress on boards and CEOs just how important security was.

But speakers also acknowledged that that isn’t always easy when there is so little data made public on the real cost of cyber-attacks and with the media tending to hype cybercrime as a mysterious netherworld that it seems impossible to guard against.

“Cybercrime is just theft, it’s just fraud. And the defences against theft are the same as they were a hundred years ago, locks on the doors and windows – so [we have] antivirus and antimalware software,” said Martin Smith, chairman and founder of The Security Company and The Security Awareness Special Interest Group.

James Lyne, global head of security research at Sophos, said that the tendency to hype cybercrime was making businesses feel powerless to deal with it.

“It doesn’t mean that cybercriminals aren’t sophisticated and aren’t dangerous, but it means that people are starting to think that only the government can save us or only a huge box of flashing lights can do it,” he said.

As well as facing challenges in explaining the technology behind cybercrime and cybersecurity, IT managers are also having difficulties presenting the case for spending on mitigating the risks, again because of the lack of concrete data.

“It’s really hard to justify a spend in security… because it’s difficult to quantify how much to spend [with not much data points being shared],” commented Andrew Rogoyski, vice-president of cybersecurity services at CGI.

One possible advantage that’s now in the pipeline is the fledgling cyber insurance market. Although much of the market is currently focused on data protection insurance – the majority of which exists only in the US – panellists were optimistic that, as the industry matures, insurance companies will be able to build databases of actuarial information on cyber-attacks that will help to quantify the risks.

“You need to identify that there is a risk, find out what it is and put some sort of financial figure on it and some sort of probability range. You’re essentially creating a risk profile and that’s a lot of the work that we’re doing with companies at the moment,” explained Steven Wares, EMEA head of cyber practice at global insurance firm Marsh.

“Once you’ve made that profile, you can do a lot of different things with it – not just insurance, but informing employees and analysing those risks.”

Speakers agreed with CBI’s Fell that cyber-attacks were a risk like any other facing UK businesses and should be treated just the same, with firms both combating the risk and insuring themselves against potential costs.

“Nearly all businesses suffer cyber-attacks – 81 per cent of large businesses suffered a security breach last year alone, with the figure for small businesses at 60 per cent,” Fell pursued.

“Whilst the number of these attacks is going down, as hackers have become more sophisticated and targeted, the cost of these attacks almost doubled last year. That puts the average cost for large businesses between £600,000 and £1.15 million and for small businesses between £65,000 and £115,000.

“Like any other large scale threat to your company, the issue of effective cybersecurity should be firmly on the agenda of the board.”

Building the next-gen data centre

Where traditional and web-scale apps co-exist