Businesses across all sectors are waking up to the importance of cyber insurance in today’s increasingly complex and high risk digital landscape. The world’s biggest companies are facing an unprecedented number and variety of digital attacks. Whilst awareness of the threat has never been higher, most businesses do not comprehend the methods and motivations of the attackers, the scale of the threat or indeed how to counter it.
In a joint BT and KPMG report ‘Taking The Offensive’, nearly one third of CEOs listed cyber security as the issue that has the biggest impact on their business. Despite this, only half felt prepared for a cyber attack. At a time when attackers are moving quickly with an increasing arsenal of tools and techniques, the traditional approach to security isn’t fit for purpose.
Rethinking the threat
The pace of those that are targeting valuable corporate data information has reached the speed that requires a complete rethink of the security strategy. The threat is so considerable that last year the Chancellor announced a £1.9 billion 5 year investment to develop a national cyber plan. At an organisational level, forward thinking CISOs should approach the role with the mind-set of the potential hackers, whereby cyber security is a customer experience and revenue opportunity, not just a risk that needs to be managed.
Gathering intelligence and building out strategies should be an organisation’s first instinct. Both employees and clients provide attackers with access to internal systems and often the best way of detecting attacks is to understand how those stakeholders might be targeted. This approach puts organisations on the front foot by turning cyber preparedness into a competitive advantage rather than a cost.
Ruthless and rational entrepreneurs
Insurers and other businesses are now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft. Ninety-six per cent of businesses surveyed in the report admitted that criminal entrepreneurs could be bribing employees, while only forty-four per cent confirmed they had prevention measures in place to tackle the issue. The twenty-first century cyber criminal is a ruthless and efficient entrepreneur, supported by highly developed and rapidly evolving black market. It’s no exaggeration to describe them as ‘criminal entrepreneurs’.
Like any entrepreneur, the cyber attacker’s intention is to make money – fast. A distributed denial of service (DDoS) attack for example can cost just $5 per hour to mount, yet more than $40,000 an hour to defend against. Attackers buy malware online, rent botnets by the hour, and compete for the best talent so they can inflict maximum damage. Their motivations have also changed: fame, notoriety, financial gain or political recognition are all common ‘trophies’, alongside the widespread media attention which often accompany major hacks.
Unlike conventional competitors, cyber crime entrepreneurs do not play by the rules. They are also undeterred by laws and regulations, perfectly content to damage the organisations they attack and exploit the customers who are often the ultimate victims.
With such high financial and reputational stakes, CEOs and businesses can no longer afford to sleep walk into a disaster. A report by the Department for Business, Innovation and Skills found that ninety per cent of large companies had suffered a security breach. If a company hasn’t yet been attacked, it is either extraordinarily lucky or living in the dark. When BT provided the communications network for the London Olympic Games in 2012, we repelled 11,000 malicious attempts every second and we had to fight off 200 million attacks in four weeks and that was over four years ago. In the last 18 months alone we have seen a 1000 per cent increase in cyber-attacks on BT.
The need for speed and agility
Organisations need to treat cyber criminals the way they treat challenger brands – by understanding and disrupting their business model. It is clear there is a challenge to develop a digital business model resilient enough for a cyber-attack and requires a strategy looking at the digital risks facing the business as a whole, not simply the information systems, but the customers and supply chains.
To find out more about some of the themes that Luke Beeson talks about here, download this report: Taking the Offensive http://www.globalservices.bt.com/uk/en/point-of-view/disrupting-cyber-crime.