Why is the UK Security Market reactive rather than proactive?
This question has been rolling around my mind a long time, I just can’t put my finger on why!?
I work in the City of London and my experiences below come from the top tier of execs and influencers – I am not talking small business here, I am talking how the upper echelon in the business world are tackling the Cyber Security situation. Naturally their names and companies remain with me, but I wanted to share this ‘Cyber Threat Reactive‘ phenomenon.
Lets start with a basic analogy we, as the general public, lock our doors at home, we lock our windows and our cars, when carrying personal belongings we make sure they are on a safe place on our person when commuting on the tube but in the workplace? Granted we have our personal passwords for our equipment but many businesses are not investing in technology security solutions to prevent a major data breach, hack or identify theft.
I did some research and spoke to influential players from all sectors within the City including CEOs, CISOs and Board Members of Major corporations. I found that whilst many corporations in the Financial Sector were up to speed (and some may say almost to a paranoid level!) I realised it is down to the Industry Standards.
If you were dealing with the FCA – you too would make sure your back was covered! Try opening up a Banking Institution in the UK and you will know Regulation is the key to making sure businesses, and therewith your data, are safe.
So many of the executives complained of the burdens Cyber Security brings to the table, especially now, even Non Executive Directors are personally responsible to a certain extent for any data breaches within the financial sector. These new regulations put a completely new twist on the situation. Despite all the regulations in the Financial Sector they still feel they are by no means immune to attack.
So the Financial Sector seem to have their ducks in a row, thanks to tight regulations, but what about the other Sectors? After speaking with many executives in a wide range of sectors I have to conclude that the UK businesses attitude to Cyber Security is “Fire-Fighting”. Prevention is not on the forefront, rather a ‘fingers crossed nothing happens’ attitude.
A main factor in this is that Information Technology Budgets have not increased to reflect the new dangers. One CIO I spoke to said “If your IT Budget is £10 and you know you cannot spend a single penny more, then Cyber Sec is not going to come first on the shopping list”. Most CIOs will weigh up all the IT requirements they have against the most pressing issues.
He’s got a point, what would you spend it on? With yearly IT running costs being included within that budget, it is easy to see how difficult the decision is, how do you prioritize your spending? You throw the budget at the most pressing business functionality and hope for the best!
So the most compelling fact out of all my research was that CIOs prioritize the worst-case scenario. i.e. what happens to the company if there is a data breach vs what happens to the company if their database fails.
The priority goes to functionality and IT Systems that effect daily trading. After all, if they go down there is a whole company that can sit twiddling their thumbs until it is fixed, or customers who will jump ship to the next brand and what is the likelihood that a hacker is going to target your company this year?
It is clear the worst-case scenario for a Cyber attack is minimized because the chances of it happening on the CIOs watch seem miniscule next to the chance of core functionality failing.
The cost however of a cyber attack is exponential and could be devastating for any business. Think of the “Sorry” letters alone, cant imagine after a data breach a company will send out Emails, no, they are far more like to rely on the more delicate and traditional Postal Letter – if a company has 5million customers – how much will the stamps cost? Obviously, this is over simplifying to make a point, but one thing is for sure, it could close a business down!
Look at some of the issues to the business, reputational damage, market reaction, negative Media attention, if serious enough we are talking law enforcement involvement …. You get where I am going with this and it goes without saying that at this point any company will have an army of lawyers on retention, will insurance cover these issues? Does the worst-case scenario prioritising seem wise now?
I completely understand the business has a function to perform and certain IT elements are required, but a balance of preventative measures must be a good idea – mustn’t it?
“Cybersecurity is the greatest threat since atom bomb” Apple co-founder Steve Wozniak – said in an interview with Australian TV news show Lateline.
CIOs are having to make judgment calls, what are the financial implications of IT systems going down in the last hours of the financial year? What if somebody steals and sells your data? What is the cost to deal with fake calls to customers in order to get their bank details? I heard the numbers of calls companies have to deal with and its out of this world. How does anyone handle a ransomware situation – do you just pay? More importantly, what is the newest trend to scam money out of customers or break into secure company Networks?
Think this is complicated? Add this to the execs that speak of multinationals and cost pressure forcing the outsourcing of sections of the IT and/or customer service to a different country, that have other regulations when it comes to data or dealing with IT systems in general. Now you have a hot-pot of worst-case scenarios!
This is all pretty doom and gloom and a frightening reflection of how these issues are being dealt with at the highest levels – what can be done and who needs to address this within companies? Is it purely down to budget restraints?
One thing Cyber Security Experts forget, is what happens once you implement tougher policies and/or technology that can record every step and restricts access to employees. Imagine you have a bunch of super important creative people. They come up with an idea let it be day or night and need access to something that can help the company have the next big thing and that will transform business and double revenue. Do you really want to restrict them?
The answer is yes and no.
All execs with limited budget will ask “what is the chance this happens to me”. What is the point in spending your budget on something that possibly won’t happen, when there are many other worst-case scenarios that could?
Another qualm of the execs is that running a smooth business gets more complicated the more policies and procedures and technology is in place. Quite a paradox, as technology should be helping to streamline business functions.
Some of it is just overwhelming and many companies just don’t have the resources.
In the past year I have learnt a lot about the UK Security Market and one thing is for sure Data is the new currency and it needs protecting one way or another. Cyber criminals will not stop and it is alarming the extent they will go to in order to get what they want.
What I also learnt is that I do not envy the executives and CIOs who are responsible for this decision, one thing I am damn sure of though is that their doors, windows and gates are locked at home…….so go figure.
P.S. whilst writing this I just received an email from someone called Mr. Chin who informs me that he has just received 21 Million US $ in his bank account and needs help transferring it. Of course all he needs are my bank details for a very generous cut………..Mr. Chin calls it a business proposal. The question is how many people are sending a response to Mr. Chin.
Birds Image: http://www.movdata.net/cool-photos.html
Enjoy this blog? Read More: