Information intelligence expert BAE Systems Detica has issued a warning to businesses that current risk assessment practices may be significantly underestimating the true cost of information and IP theft by cyber criminals – estimated to cost UK businesses £17bn every year.
Speaking at the second Worldwide Cybersecurity Summit in London to an audience of government and business leaders from the Cyber40 countries, BAE Systems Detica Managing Director Martin Sutherland claimed that despite the escalating risk posed by cyber attacks, the risk of commercial data or IP loss is not being given the same priority as 'conventional' business risks.
In essence, Mr Sutherland proposed advice on cyber attack scenario generation, suggesting that to get a true estimate of the vulnerability of organisations to data-theft attacks, senior management must not leave the impact assessment to a bottom-up process driven by security specialists. The result of such a conventional approach would lead to a flawed risk assessment, particularly with reference to the covert attacks which cost organisations so dearly.
Martin Sutherland, Managing Director of BAE Systems Detica said: “Our dependence on cyber space has inevitably increased our exposure to security threats, and as cyber attacks grow in frequency and complexity, it is vital that businesses reappraise their approach to risk management accordingly.
“This means that a more holistic, business-led approach to assessing impact and managing risk is required. With impacts of such potential magnitude to contend with, it’s important that business leaders don’t leave their risk managers or IT teams attempting to mitigate these cyber threats alone, but instead take the initiative and actively engage with the challenges faced.”
Sutherland explained that businesses must now take a broader view of the value of the information a company holds and create scenarios to assess the potential business impact of any loss. This requires far greater coordination between the company's board and security specialists to properly calculate the different levels of risk posed in each scenario and identify who might want to attack the business, what their motivation is and which information assets are most valuable to both the business and its attackers.
Martin Sutherland continued: “Effective cyber risk management is about enabling your security specialists to focus on protecting your organisation’s most valuable assets. Companies cannot afford to give equal priority to every corner of the network, which is why it is vital that board-driven risk assessment - separating the assessment of business impact from the assessments of threat and vulnerability – is carried out to determine the true level of risk faced.”
To enable risk managers to better assess the threats they face and build a business case for mitigating these risks, Detica has authored a new report titled ‘Enemy at the Gate’, which can be downloaded from the Detica website.
In addition, Detica has prepared five crucial steps to help businesses reappraise their cyber risk strategies:
1. What are the potential threats faced? - Establish your potential attackers and determine which threats the business is most likely to face
2. Which assets are most likely to be targeted? - Using these scenarios, assess the likely target of each attack – for example, customer databases, intellectual property, internal communications
3. What is the motivation of the attacker? - Determine the purpose of the attack – is it to cause disruption or reputational damage, to gain competitive advantage, or to be used for extortion, for example?
4. What is the potential business impact? - Assess both the direct financial damage and the broader business consequences – such as higher competition, lost business or lower prices - of each attack scenario
5. Which assets require the highest level of protection? - Based on your evaluation of potential attack scenarios, identify which assets are high impact and prioritise the protection of these assets
According to Detica, implementing the checklist can result in heightened overall levels of security, and help identify specific measures to protect against certain types of danger. Better risk understanding and management can also lead to better prioritisation and hence use of budgets and resource, leading to commercial opportunity.
While the approach may involve technological solutions, this still needs to be a business-led discussion. Critically, security solutions must be able to respond to business needs rather than being imposed on the business from the bottom-up.
The Worldwide Security Summit (June 1st-2nd) aims to address cross-border cybersecurity challenges, high priority vulnerabilities and threats to the private sector, and to make advances on the most pressing issues in global management of critical information infrastructure.