As business moves into an age of innovation and disruption, its leaders are tasked with the job of finding new ways to protect its assets from a breach in cybersecurity.
The traditional approach to risk management was to build a virtual ‘moat’. That is, protective measures were taken to ensure the safety of its data from unauthorised use, dissemination, and access.
But now business is facing an environment where everything and everyone will be connected into an integrated global network – the Internet of Things (IoT). According to experts, this will require a major rethink of once workable cybersecurity systems and strategies.
“Unfortunately, not enough of this stuff is keeping executives up at night.” – Nigel Phair
Jeremy Rifkin explains in The Zero Marginal Cost Society, that in 2007 there were ten million sensors connected to the Internet, and by 2030, that will increase to 100 trillion.
Right now, specialised analysis puts the cost of a data breach at $3.5 million. But the hurt on a company bleeds into vectors where the price is inestimable; resulting factors can include loss of reputation, customer trust, and brand damage.
Meanwhile, as businesses feel the implications of IoT and what that might mean for their organisation, the global cybersecurity industry is growing to meet the challenge. By 2019, estimates put its worth at $155 million.
Yet, for some experts in the space, cybersecurity has not entered board level strategy thinking even if, they argue, it should.
“I do not think the [dangerous possibilities] are on the radar of most executives,” Nigel Phair told OmniChannel Media. “They see the upside in digital and the online environment.”
Phair, a cybersecurity specialist and author, is currently a director of the Centre of Internet Safety at the University of Canberra.
“I think we are going through a period of fundamental change,” he said, “and [company governance] has got to consider security as part of their future strategy.”
Samantha Macleod, General Manager of Cybersecurity at ME, agrees “cyber risk is business risk,” she told OmniChannel Media.
“It is the business risk associated with the secure use of technology within an organisation.”
She said the board should be made to understand where the organisation is vulnerable from the outside, as well as where the potential threat to accidental or malicious activities from within.
Macleod feels that there has been an underinvestment in cyber “perhaps because of a lack of visibility by the board and a lack of understanding,” she said. “This has led to a lot of organisations with ageing technological platforms.”
“In the old days information security and services was more of a luxury,” explains Sanjay Verma, where it was more about compliance than answering a threat.
A veteran of cybersecurity, Verma is Head of Information Security and Risk at Deakin University. He told OmniChannel Media that these days cyberspace is the primary channel of communication.
“This is how people do business,” he said. “How they talk to each other, how they grow their business. It is all about increasing and defending the revenue.” Verma is convinced that, “cybersecurity is the number one priority for most senior executives right now.”
Still, he said, security tends to be quarantined as a ‘tech problem’ and not a business problem. “With the IoT we have to think about security in different dimensions.”
IoT means that a business organisation will be compelled to collect more and more data, said Phair. “So where are you going to store it? Who has access to it?” he said.
Macleod is not quite convinced that it is the new disruptive technologies that offer the top priority risk at all. “I would hazard a guess it is the cyber hygiene and the cyber debt such as existing vulnerabilities, or challenges with the old code,” that is the big issue here.
“Cybersecurity is a modern term driven by the shift toward an internet economy,” she said. “The extensive spending on cybersecurity media talks about here and [globally] has more to do with cyber debt than it has to do with forward thinking or trying to get ahead of the threat landscape.”
As such, she said, there has not been the focus by organisations, in their business plans or otherwise, to prevent the threat of a cyber attack or manage the risk associated with a data breach.
“Banking and finance are attuned to risk,” Phair adds, “because it is hitting them in the face every day. When I meet a CSO or CIO to consult from many other sectors I hear, ‘well I’m not a bank’ as if to say ‘why would anyone want to attack me?’”
He said that IoT has not yet transformed how security is managed. “A project by an organisation may be undertaken with a sound methodology,” he said. “But they are not considering security at all, or to a sufficient level.”
Phair believes that the solution is a matter having the right skill set represented on the project team.
Verma agrees, “When we talk about innovation and disruption in this area, we also have to talk about innovation in the security space,” he said. “We are talking about doing security in a totally different way.”