Boards need to grasp the cyber security nettle

October 2021  | SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

October 2021 Issue


In the 1970s, the world started to move away from being industrially led toward the more familiar ‘information-society’ territory we now inhabit. At the earliest stages of this transformation, concerns over IT vulnerabilities were largely non-existent. However, today cyber attacks are all too common.

Recent cyber incidents include the Poly Network attack in August 2021, one of the largest cryptocurrency heists to date, which saw hackers gain access to £433m, the Colonial Pipeline cyber-ransomware event in May 2021, which significantly threatened US energy production, and the Microsoft Exchange Server attack in January 2021, which impacted Microsoft accounts worldwide. In early 2020, SolarWinds, a major US IT firm, was the subject of a cyber attack that spread to its clients for months and enabled foreign hackers to spy on private companies and the US government.

All these incidents illustrate an increasing pattern of corporate and political cyber attacks that are occurring on a daily basis.

As a result, cyber security is becoming increasingly important and should be viewed as a whole board issue for every organisation. Rapid digitalisation, particularly as a part of the fourth industrial revolution, has heralded the increased automation of traditional manufacturing and industrial practices through the use of smart technology which allows interconnected software and devices to make intelligent decisions autonomously.

While increased digitalisation has made decision making more efficient, cyber security threats have also risen exponentially. Most organisations store large amounts of customer, employee and other intellectual property (IP) information virtually, which requires investment and focus. As a result, any breach of an organisation’s big data has the potential to impact reputation, allied with the potential for losses and a drop in consumer confidence. The results of such a breach can be terminal in some cases.

It is in this context that developing a corporate cyber security plan requires a full appreciation of the developing cyber landscape.

Digitalisation in contemporary times

The ‘4.0 economy’ is characterised by terms which are synonymous with increasing digitalisation – artificial intelligence (AI), cloud computing (CC), machine learning (ML), the internet of things (IoT) – and the pervasive nature all these technologies possess.

All modern companies rely on technology, with financial institutions and the manufacturing industry being particularly reliant on automation, connectivity and AI. An organisation’s assets have become both physical and virtual, with people acting as the crucial link between the two. Unfortunately, it is the human factor which also results in most cyber vulnerabilities, so organisations must safeguard their IT systems, as well as their intellectual and human capital.

It was not so long ago that organisations hired individuals or relied upon entire departments to manage all their IT requirements. This is rarely the case today because IT is so central it needs representation at board and executive level. This development may explain why most successful businesses select their C-suite from former chief executives of technology firms, or board members who have fluency and experience with contemporary technologies.

These individuals are guided by their experience in making investment and insurance decisions based on expert knowledge about what is needed to safeguard a firm’s technological assets. Strategy must prioritise cyber security to fortify organisations in the contemporary digitalised world.

The types of attack and perpetrators

The SolarWinds attack in the US was allegedly perpetrated by 1000 hackers at the direction of the Russian state, impacting numerous technology companies and networks. The Microsoft Exchange Server cyber attack affected millions of Microsoft accounts, including nine government agencies and 60,000 private companies in the US, and was blamed on China by the UK, US and European Union (EU). The Federal Bureau of Investigation (FBI) identified the criminal hacking group ‘DarkSide’ as being responsible for the ransomware incident involving the Colonial Pipeline in Texas, which resulted in the US declaring a state of emergency and being forced to pay $5m.

The list of successful cyber attacks continues to grow and indicates the main types of attack and perpetrators, ranging from those engaged in cyber espionage and hacktivism to spiteful malfeasance.

The motivations for these attacks depend on the criminals initiating them. Sometimes the action is intended to demonstrate superiority by paralysing essential services. On other occasions, the aim is simply to steal using tools like ransomware. State-sponsored activities are usually designed to cause significant losses to competing nations, damage critical infrastructure, or gather confidential financial data and IP.

Individual hackers gain illegal access to networks using techniques like phishing, while so-called ‘hacktivists’ are mostly groups intent on influencing or taking a public stand against particular policies. Organised criminals sometimes do the bidding of large organisations or governments for their own personal gain or are simply extortionists hoping to gain significant financial benefits.

There is naturally a growing demand for cyber security legislation and stricter action from governments to establish authorities that prevent cyber crime and support its victims. The US Securities and Exchange Commission (SEC) and IT Governance Institute are examples of these efforts taking shape. The General Data Protection Regulation (GDPR) from the EU has been lauded for placing a spotlight on companies and their attempts to manage privacy-related risk assessments.

In the UK, the Government Communications Headquarters (GCHQ) has, through bodies such as the National Cyber Security Centre (NCSC), made great strides toward identifying and preventing cyber attacks. However, many boards still need to devise specific strategies to fortify their organisations and better protect their clients.

Addressing cyber concerns at board level

As the spotlight on cyber security grows stronger, a number of practitioner reports are highlighting patterns of interest and highlighting fascinating new facts. A recent study by CGI (UK) and Oxford Economics has revealed that a major cyber attack on a FTSE 100 company could render a permanent decline in share prices by up to 1.8 percent, amounting to £120m in market capitalisation.

This helps contextualise a government report which points out that 80 percent of businesses acknowledge that cyber security is a priority for their governing boards. Additionally, a recent survey by IBM, inviting input from 3000 global CEOs and comparing organisations performing well against those underperforming, found that 46 percent of respondents recognised security and risk as areas where they expect technology to make the greatest impact.

Over the next three years, it is anticipated that corporate reliance on technologies including IoT, cloud computing and AI will all dramatically increase. To arrive at appropriate and effective cyber security solutions, boards will first need to identify the significance of their organisation’s technological assets and appreciate tangible and perceived IT risks to their businesses.

This process begins by acknowledging IT as a key resource and a major focus at board level. Once these initial steps have been carried out, organisations will find themselves in a far stronger position against potential cyber attacks. There is even an argument that this approach offers a significant competitive advantage in a market otherwise awash with increasingly destructive cyber threats.

Company oversight allows boards the chance to pre-empt cyber security risks and prepare accordingly by crafting response strategies. The stewardship role of the board should delineate a clear process for identifying, evaluating and addressing cyber security threats.

Owing to a lack of certainty and failsafe predictions regarding this constantly evolving and dynamic field, a layered approach to board preparedness may hold the key. Once a cyber security strategy has been outlined by the board, coupled with vigilant implementation throughout the organisation, consistent cyber security management is the most reliable solution in the governance toolbox.

Boards and executive teams need to focus on a select few elements within their strategy to best approach and address ongoing cyber security issues.

Top of this list is a focus on keeping pace with the dynamic nature of issues within the cyber security landscape. Additionally, technology should receive a greater focus for the value it provides and be used appropriately with adequate safeguards in mind.

It is also important for companies to embrace emerging regulations and legislation in partnership with authorities and policymakers. If constructed cooperatively, the policies of tomorrow will understandably have more of a positive and effective impact.

Can you afford to not act?

The implications and benefits of a top-down approach to cyber security cannot be overstated. The successful pathway to cyber security governance is to prepare for and manage potential threats, and in doing so create a constantly evolving framework which underlines actions relating to all future cyber security issues.

Workplace safety and security is as important as developing efficient cyber security practices, all of which need to be incorporated into organisational culture and the day-to-day business routine. A successful response plan for potential cyber security issues is an investment worth making for all the potential reputational, legal and financial costs it could save. This may well be the deciding factor in positioning an organisation to survive and thrive in today’s highly competitive marketplaces.

 

Nada Kakabadse is professor of policy, governance and ethics, Andrew Kakabadse is professor of governance and leadership and Ruchi Goyal is doctoral researcher at Henley Business School. Ms Kakabadse can be contacted on +44 (0)1491 418 786 or by email: n.kakabadse@henley.ac.uk. Mr Kakabadse can be contacted on +44 (0)1491 418 776 or by email: a.kakabadse@henley.ac.uk. Ms Goyal can be contacted on +44 (0)7551 511599 or by email: r.goyal@pgr.reading.ac.uk.

© Financier Worldwide


BY

Nada Kakabadse, Andrew Kakabadse and Ruchi Goyal

Henley Business School


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.