Ash Patel, ECI’s Head of Cyber, explains why every company should be having a strategic discussion about cyber risk, and looks at how to secure board engagement.
Even before the Covid-19 pandemic, cyber attacks were a clear and present danger to businesses; the World Economic Forum (WEF) has included such attacks in its Global Risks Report in each of the past five years. But the pandemic raised the threat to a whole new level, with groups including Interpol reporting a surge in attacks on businesses during the crisis.
Despite this escalation, many boards are still not seizing the initiative. Research from Harvard Business Review suggests that while many boards are now at least discussing cyber security more frequently, the true nature of the risk is not well understood. The WEF says boards need much stronger foundations to govern cyber risk effectively.
This is why at ECI, my own role is a dual one: my job is not only to manage ECI’s own cyber risks, but also to work with our portfolio companies to help their boards identify and understand the scale of the risks they face. Armed with this knowledge, they can begin to mitigate the danger.
This is not to suggest there is a one-size-fits-all approach to cyber risk. My role is to help boards identify the gaps in their cyber-security, in the context of the threats they face in their businesses and relating to their commercial objectives. With that information, every board has to make its own decisions about acceptable risks, and the strategies it might pursue to counter them.
Why CEOs should care
All CEOs should worry if cyber is not yet routinely a feature of the board pack. The UK Government’s most recent survey of cyber security breaches found that four in 10 businesses suffered a breach or attack last year; of those, more than a third reported negative impacts, ranging from financial loss to business disruption.
Some of these impacts are so serious that your business may never recover. You may lose crucial intellectual property to a rival that is able to secure market advantage as a result. You may face punitive regulatory sanctions: the General Data Protection Regulation allows for fines of up to 2% of a company’s global revenues if you are shown to have security or data protection failings. There is also potential for irreparable reputational damage: more than one in four consumers say they would stop doing business with a company following an incident compromising their data security or privacy.
Moreover, cyber security is an issue that touches every part of the business, with potential impacts and vulnerabilities in every function. Marketing’s relationships with customers, say, may be an obvious issue to consider, but have you looked at how HR is training the workforce on cyber risk, or how product teams are incorporating security into their design processes?
The cyber landscape has changed. It is not just that the pandemic has encouraged threat actors, or that these attackers are becoming more sophisticated, though that is certainly the case (the US is mulling a military response to ransomware attacks, so numerous and successful have they become). The other imperative is that so many businesses are now putting technology at the heart of their value proposition. And while digital transformation may be the key to unlocking growth and profitability, it also provides bad actors with a much bigger surface area to attack.
How CTOs can push cyber security up the board agenda
The CTO has a crucial role to play in ensuring the board is able and willing to engage with cyber security in a consistently meaningful fashion. To achieve that goal, consider these ideas:
- Talk to boards in the language of the business. Technical IT jargon is far less likely to resonate strongly with the board than a discussion about how cyber attacks threaten the business’s value story.
- Focus on future proofing as well as today’s operations. It is important to counter attacks on the business as it stands, but do not overlook the threat that cyber poses to innovation. Boards’ efforts to pursue a digital agenda may be undermined by cyber risk if it is not properly understood and planned for.
- Concentrate on areas of weakness. Our cyber gap analysis focuses on the areas of risk where controls are often weaker; in particular, does everyone in the business, including the board, understand how the company tries to protect itself? Is training regular and mandatory?
- Learn from experience. Spend time discussing incident reports with the board, focusing in particular on what the company has learned – and what is required to prevent a reoccurrence.
- Agree on targets and monitoring. With a set of key performance indicators included in each board pack, the board will have a clear view of how the company is performing.
In practice, there are plenty of technology, process and people changes your business can make to protect itself – including planning for what may be an inevitable breach or attack – and ECI can help. But do not lose sight of the bigger picture: once CEOs and the board have a full grasp of cyber in context of the business, they will be better equipped to pursue the business’s digital transformation and growth priorities.