We’ve all heard the headlines about data breaches at the likes of TalkTalk, Metro Bank, Wonga, and Yahoo. But unless you are really tech-savvy, ‘cyber security’ probably has quite a vague meaning to you. You might be in some doubt as to its relevance to your business; the whole area appears so baffling and complex to address that it is dumped into the box marked ‘too difficult’ and given a good stiff ignoring.
But that is a dangerous course of action. As the report ‘The cyber threat to UK business 2017 – 2018’, produced by the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), makes clear:
“Cyber-attacks have resulted in financial losses to businesses of all sizes. The costs arise from the attack itself, the remediation, and repairing reputational damage by regaining public trust. Attacks have also triggered declines in share prices and the sacking of senior and technical staff held to account for massive data breaches. The enforcement of the General Data Protection Regulation (GDPR) in May 2018 could, under certain circumstances, lead to severe fines for organisations which fail to prevent data breaches”.
The real cost
Gulp. So, it’s pretty relevant to a business of any size. And just what kind of figures are we talking?
According to a report from IBM’s Ponemon Institute (‘Cost of a Data Breach 2018: Global Overview’), the global average cost of a data breach was an eye-watering £3 million, including:
- actual money stolen
- cost of buying new IT equipment
- fines for breaching regulations
- lost productivity
Moller-Maersk (quoted in the NCSC/NCA above) reported an expected loss of revenue of €350m from the 2017 NotPetya attack of June 2017.
The UK Information Commissioner’s Office intends to fine British Airways £183m (1.5% of their worldwide turnover in 2017) after more than half a million customers’ data was stolen by hackers from its website and mobile app (according to a report in the Financial Times (8 July 2019).
What should you do?
Rather than panic, you need to take the bull by the horns, get informed about cyber security (which, like most things, isn’t so baffling when you get to grips with it), and learn how to manage the risk of a cyber-attack. Your technical team, your bosses and your board members all need to be able to communicate about cyber risks, and the board has to be sufficiently knowledgeable to ask the right sort of challenging questions.
You don’t all suddenly need to become cyber security experts, but you do need to understand enough to make your defence stronger. As Ciaran Martin, CEO of the NCSC, puts it: ‘…cyber risk is a business risk. And it needs to be treated like one. That means you have to understand it. People at board level need to understand the basics – and I stress, basics – of cyber-attacks, cyber risks and cyber defences. That’s daunting, but it is doable. It’s essential.” (CBI Cyber Conference, Sept 2018).
The good news is, you’re not on your own here. As in much of life and business, there are experts on hand; people with the tech know-how and the real-world experience to guide you through and ease the pain points. Our advice is to find a specialist who can work with you.
Author: George Patterson, Director, Hexegic
Hexegic has developed a means of helping board members and technical teams to communicate about cyber security and identify where defences are weak. Their product, Vue Risk, is based upon an infographic methodology that is used to manage risk across hazardous industries, such as aviation and oil and gas. They can help any business or organisation to quickly get a picture of their cyber security position – and how to improve it – within a short consultation.