Warren O'Driscoll
Head of Security Practice, Senior Director, NTT DATA UK
More from this contributorInformation and cyber security is one of the hot topics of the last five years, as digital enablement becomes the default and its potential to impact global and UK business continues to grow on an almost logarithmic scale.
The UK government’s National Risk Register published last year found that 46% of businesses had reported a cyber security breach or attack over the course of 2020, in addition to 26% of charities. The scope of threat facing corporations in the UK has evolved and grown in recent years; the way companies must adapt to meet this risk needs to change as well.
A move away from code-based regulation and more towards a common-law approach is likely to result in more weight being given to the supervisory judgements of regulators, which could mean more focus on outcome rather than just the process.
In reacting to these risks we are also seeing revolutionary changes in security and data regulations both at a global scale and within the UK. The Taskforce on Innovation, Growth and Regulatory Reform recent report indicates a move away from code-based regulation and more towards a common-law approach. This is likely to result in more weight being given to the supervisory judgements of regulators, which could mean more focus on outcome rather than just the process. For UK corporations, this shift in regulatory approach must be considered in context of the regulatory penalties, brand impact and the threats posed to business, shareholders and the client.
With the increase in the cyber security landscape, blurred corporate and cloud data boundaries, and ever increasing threat levels, the UK’s position as a tech and services leader makes it a more attractive target for malicious actors than most.
Due to limited effective understanding and articulation of risk appetite, or the threat impacts to the asset base, at both the executive and board levels, far too many organizations make the mistake of addressing security risks as just an IT function or create security policy in isolation. This often results in complaints that security is too costly or not in tune with the corporate need. While security frameworks and standards offer businesses effective guides to good practice, only effective clarity of the corporate risk appetite, and its relation to its assets and their threat impacts, can effectively dictate and align the control objectives and responses for the individual business.
As per the guidance offered to businesses by a number of the UK Regulators, we need to be challenging boards and executives to firstly have a clear understand of their business’s assets (i.e. people, products, processes, property, data and technology) and where they stand in terms of the corporate risk appetite for impact, from aspects such as threats, regulations, contractual and certification drivers.
What is the risk?
For around the last ten years The World Economic Forum’s Global Risks Report has highlighted the failure of cyber and data security as one of the principal global risks, along with issues facing technological governance and a globally accepted system of regulation regarding critical digital networks and technology. Of global risks surveyed in the 2021 report, only threats relating to public health and climate change were seen to be more of a clear and present danger than cyber security failure.
The cyber threat can take many forms for businesses. The emergence of ransomware-as-a-service allows hackers to essentially auction their skills to the highest bidder, opening the door for those who may wish to carry out attacks but previously did not have the technical skills or capabilities. Phishing attacks have also continued to be a common threat, and the pandemic has seen renewed acceleration in their frequency. Those carrying out these attacks have sought to play on anxieties and uncertainties generated by the pandemic, attempting to instigate an emotional response that leads to a link being clicked and a breach occurring. And the abundance of digital change without basic security by design or default only makes the lives of threat actors easier.
The corporate supply chain also represents a significant security threat vector. The nature and integration of the supply chains makes it an attractive target for threat actors, as businesses frequently lose sight of the security involved in the process. Research this year found that only 1 in 20 UK organizations take active steps to address the vulnerabilities in their wider supply chain; this is seen as such a concern for UK companies that the government has called for industry input on this topic and will report on its findings later this year.
A greater amount of foresight and appreciation of the risks is needed by executives and boards, not only to protect shareholders, but also the security of customers, staff and the ecosystem as a whole.
While these threats are commonplace for mature businesses, there are often still many gaps between awareness and effective action. Corporations may well inform shareholders about their knowledge of these threats and the principal corporate risks that support them, yet in our experience the evidence of tangible and effective corporate security culture that support the response to these risks is limited and in many cases is little more than a tick box or paper activity. This can lead to risk management or security being seen as a problem when it goes wrong. A greater amount of foresight and appreciation of the risks is needed by executives and boards, not only to protect shareholders, but also the security of customers, staff and the ecosystem as a whole.
How do businesses deal with this risk?
Competitive drivers and business models means every organization has a different risk appetite. Different industries face different regulatory positions, certification and contractual requirements all of which translate into varying levels of organizational pressure.
This variety in risk appetites, methods and operational models needs to be taken into consideration when addressing security risk for individual organizations. There is no one-size-fits-all solution that can be applied to every industry, as each sector will have a different operating model, levels of security maturity, capability, capability and path experience.
For example, the heavily regulated financial services industry will have a very different maturity to construction, where security maturity is not a core competence. Even within these sectors, each business will face a different level of operational and security risk, based on assets and threats, and therefore require an appropriately individualized approach towards risk management.
To address this disparity, the UK’s NCSC’s National Cyber Security Strategy has highlighted the importance of partnerships in helping individual organizations navigate a strategy which is right for their specific circumstances.
By engaging in partnerships with core competence and path experience, partners such as NTT DATA can coach, challenge, mentor and advise across all levels of corporate accountability to ensure the unique challenges facing an organization are taken into account, so businesses will be ultimately better placed to navigate the ever-shifting landscape of Information and cyber security.
