Why a clear cyber policy is critical for companies
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
In October, Joe Sullivan, Uber’s former head of security, was convicted of covering up a 2016 data breach at the ride hailing giant by hiding details from US regulators and then paying off the hackers.
It was a trial followed nervously by cyber security professionals around the world — coming eight years after an incident that had compromised the personal information of more than 57mn people.
“Any news about another company dealing with a data security incident can strike a bit of fear across industries,” notes Mary Pothos, chief privacy officer at digital travel company Booking.com. She adds that incidents like these cause “many companies to pause, rethink or revisit their internal processes to make sure that they are operating effectively”.
These incidents, and threats, are growing at lightning speed, too. War in Ukraine is now being played out as much in cyber space as on the battlefield. The Covid pandemic has forced businesses to rethink where their employees work, and handle or access data. At the same time, the sheer number of web-connected devices is multiplying.
“We need to be people who can predict what is coming along the line, predict the future, almost” said Victor Shadare, head of cyber security at media company Condé Nast, at a recent FT event on cyber security.
Palo Alto Networks, a specialist security company, found that cyber extortion grew rapidly in 2021. Some 35 new ransomware gangs emerged, the average ransom demand increasing 144 per cent that year to $2.2mn, and the average payment rose by 78 per cent to $541,010.
Meanwhile, cyber security personnel have found themselves hemmed in by increasingly onerous regulations. These include threats of legal action if the right people are not informed about breaches, or if products come to market that are not safe enough. On September 15, for example, the European Commission presented a proposal for a new Cyber Resilience Act to protect consumers from products with inadequate security features.
“New domains of security have sprung up over the past years, so it’s not just an information technology problem any more, it’s really a full company risk issue,” says Kevin Tierney, vice-president of global cyber security at automotive group General Motors. He warns that automated and connected vehicles have thrown up additional threats to be addressed.
“You have to start out with the right governance structure and the right policies and procedures — that’s step one of really getting the company to understand what it needs to do,” he says.
These include clear rules on how to disable access to tech equipment, on data protection and storage, on transferring and disposing of data, on using corporate networks, and on reporting any data breaches.
Security experts also tend to agree that there need to be robust systems of governance and accountability, to prevent the sort of trouble that befell Sullivan at Uber.
Perhaps most crucially, staff across the organisation, from C-suite to assistants, need to know how to spot and manage a threat.
Research conducted by risk solutions provider Kroll in 2018 found that 88 per cent of data breaches were caused by human error — the most common of which were sending sensitive data to the wrong recipient, the loss or theft of paperwork, forgetting to redact data, and storing information in an insecure location.
But another piece of research in 2018-19, by accountancy firm EY, found that careless and unaware employees were companies’ biggest security concern.
“Dry awareness training doesn’t really hit the mark, people don’t get engaged,” says Shadare, who thinks animated and interactive awareness programmes and modules can often “really help”.
More stories from this report
Gamification — ie, applying game mechanics to staff training — is also proving an effective way to provide training, with research from Örebro University in Sweden finding that it can improve employee motivation and willingness to comply.
Shadare adds that training should be targeted at specific roles within an organisation, from HR to engineering, so that it has relevance to day-to-day tasks.
It is also incumbent on information security personnel to inform executives and board members about the nature of the threat, given that they can ensure the message is spread throughout the organisation, and finance efforts to enhance defences.
“The board controls the purse strings, the board controls the narrative and they control the direction of the organisation,” Shadare points out.
Tierney agrees. “It’s an education process truly for every employee,” he says, “including senior leadership and the board.”
When it comes to larger organisations that have complex supply chains — working with lots of different contractors and buyers — it is also crucial that security practices and policies are passed along the chain.
One approach that larger companies can take is to ask for evidence from their suppliers and vendors of the security policies they have in place and their staff training programmes, Shadare says. They may also share some of their own resources and training programmes.
Tierney stresses the importance of collaboration. “We work with tens of thousands of suppliers across our supply chain and . . . a lot of these companies just don’t have the resources to have a big security programme. It’s a challenge,” he says.
“The weakest link will cause an issue, so we have to work together.”