Cyber Security, the New Business Operational Model

Posted on August 19, 2016


The future of Global economics lies in tapping and harnessing the hyper-connected networks of our digital lives. It is only when businesses and society starts linking up do they fully realise the potential and the value of their untapped data assets and privacy. In today’s digital society, how do you know who you can really trust, where data respects no national or regulatory boundaries? Quoting from the ‘Commission on Enhancing National Cybersecurity’ in the US:

“…many agencies are not yet using the Cybersecurity Framework. They may be reluctant to do so because they are focused on the many requirements that they face, or because they do not understand how they can make productive use of the Framework within the larger context of managing their operations.”

This is not unique to the public sector or the US. It is an acknowledgment that Cyber Security is a critical national issue that ranks as the threat of our generation that goes to the heart of national stability and economic competence. What the quote highlights is a real concern that the Public Sector is apparently too busy to attend to the priority of Cyber Security. If the recent Dell Global Survey on the European Union’s new ‘General Data Protection Regulation’ (GDPR) is anything to go by, this is a widespread issue. The survey reveals most businesses are showing little commitment in this regard. A voluntary decision not to address Cyber Security is one thing but in the face of regulatory obligations and eye watering fines due to come into force by May 2018, it is striking. This is compounded by ‘Security Fatigue’ which is causing computer users and business to feel hopeless and act recklessly according to a new study by the National Institute of Standards and Technology (NIST). Businesses and national economies could pay a high price for such short-sighted decision making. Yet with the average number of detected Cyber incidents in businesses doubling in 2016 from a year ago, according to PwC, Governments appear content to allow the engine rooms of their economies to play Russian Roulette in the face of global Cyber Risks.

The nature of most Cyber risk is the data breach due to malicious actors or simple human error/negligence. With any theft or loss of data out with its designed control environment, the ramifications take on rapidly escalating financial implications. According to the Ponemom Institute the average cost per customer record breached is $158 globally. Whilst the cost varies by industry, the US and Europe are at the top end of the global range at $200 per customer record and this cost is going up by approximately 3% per annum.

To put this in context the cost ranges from $2.1 million for a loss of less than 10,000 records to $6.7 million for more than 50,000 lost or stolen records. Now consider the average mobile smartphone holds many hundreds of contact records if not 1,000’s and the risk becomes all too intimate, employees are marching around with the equivalent of portal corporate datacentres in their pockets. The collateral damage to customer or national confidence sees almost half of the people questioned by OnePoll saying they would actively avoid choosing a company in the future that had been hacked. A similar fallout occurs in industry supply chains and is set to blemish national cultural attitudes.

It may not be the Government’s responsibility to solve all these problems and it is beyond the resources of law enforcement to respond to every Cyber breach, which regrettably turns the latter into a whipping boy for frustrated victims who feel helpless. However, there is an impetus that can only come through Government leadership. Just as Government champions and funds Health and Safety programs, there is a similar and very urgent need to address the lack of Cyber Security awareness to raise national Cyber hygiene and the empowerment of businesses to take responsibility for their own Cyber incidents. Direct trustworthy interaction and engagement is required in commercially practical measures delivered in terms that business leaders relate to – Insurance is just such a catalyst.

Risk mitigation has been the mainstay of business since before Lloyds insurance first started in a Coffee shop in London. It’s a simple well-trodden path. Businesses self-insure as much as they feel comfortable to and offset the rest through an Insurance policy. This is a self-accountable responsible attitude to risk management. Insurance is regarded as a minimum standard of participation in many areas of society, from driving through to employing staff and certain 3rd party liabilities and industry specific obligations. So why is it an afterthought when it comes to Cyber?  The greatest risk surface and challenge confronting organisations of our era.

The formula is a simple one. A Government incentivised program delivering a practical operational framework underpinned by insurance driven discipline. The return on investment of such a Cyber Security program is economically more tangible than the returns on grants committed currently to Health and Safety for example. This has a cascade of benefits:

  • Securing the Business – 100% security is not reality, but resilience (business can withstand a breach) and self-determined accountability (business has the independent means to recover from a breach) is ‘Cyber Security Operational Framework + Insurance’.
  • Digital Transformation – Drives out the complexity of legacy systems that makes way for a more agile utilisation of new and mobile enablement technology.
  • Trust – Provides supply chain confidence, market resilience, economic opportunity, customer confidence in digital life and international respect.

This is why there needs to be concerted government and Insurance industry collaborative action, to stimulate the adoption of Cyber Security best practices which will help move organisations rapidly along the path to GDPR compliance. This has the potential to reduce risk for everyone through Government incentive programs and insurance policy compliance driven requirements.