article banner

Cyber security as a business differentiator

James Arthur James Arthur

On 9th September, we hosted a group of experts in a live webinar to discuss the strategic importance of cyber security. James Arthur summarises the key points of the conversation.

Cyber attacks are now one of the most profitable types of crime that can be committed. Often they're controlled by organised groups of cyber criminals with sophisticated business models and have long-lasting impacts on the victim organisation's reputation, operations and profit.

As we discussed in our webinar, making cyber security a board-level discussion is one of the most effective ways of both minimising the chances of a damaging attack, and helping your business use cyber resilience as a business differentiator.

The panel at our webinar included:

  • James Arthur, Partner, Head of Cyber Advisory
  • Richard Manning, Chief Technical officer for Economy and Society at the National Cyber Security Centre
  • Larry Hirst CBE, Independent Chairman and Director, former CEO of IBM (UK and Ireland)
  • Richard Knowlton, Director of Security Studies at the Oxford Cyber Academy
  • Nick Wilding, General Manager, Cyber Resilience, AXELOS Global Best Practice

Cyber security isn't just for IT

Traditionally, cyber security has been thought of as just a function of IT and not a matter of strategic importance. The financial impact of an attack hasn't been considered significant enough to warrant board attention and the cost of mitigating the risks was low.

Yet, as cyber attacks become more sophisticated and the damage they cause becomes more severe, firms are starting to take the threat more seriously. Particularly, as remote working  and digital transformation becomes normal during lockdown, robust security becomes a business differentiator that can grow trust in your firm.

From the boardroom to the frontline, businesses are starting to use cyber resilience as a benefit of their services that their competitors may not be able to offer. Yet, simply increasing spend on hardware and software can't improve cyber resilience.

As was noted by Richard Knowlton, the problem is principally one of culture. You need to recognise cyber security as part of your firm’s health and safety culture.

Cyber health and safety

Employees, suppliers and shareholders need to be as proud of their great cyber security record as they are when they reduce injuries at work.

The harsh reality is that 90% of successful cyber attacks will start with one of us. An under-prepared and unmotivated workforce will guarantee that your business will fail to effectively respond to attacks on your business. It is the unwitting mistakes made during our busy and stressful day-to-day working lives that have a disastrous and lasting impact on our organisations.

Rather than mandating more annual compliance based ‘tick-box’ training, we need to listen to our employees more, to better understand the difficulties they have in complying with security policies. We need to fit security and our policies around our people not the other way around. As the National Cyber Security Centre advises, “security that doesn’t work for people doesn’t work”.

Our webinar panel believe we should make security awareness engaging, targeted, relevant and ongoing. Security should be easy and provide our people with the right motivation and prompts to do the right thing, using storytelling to demystify our processes and encouraging each other to share our experiences with colleagues

Cyber security is a board responsibility

Overwhelmingly, our webinar poll showed 86% of respondents felt that cyber security strategy was firmly the responsibility of the board, supported by their IT team. Despite this, when we interviewed over 500 firms last year, only 37% had a board member with specific responsibility for cyber security. 

For cyber resilience to become a true business differentiator, businesses must do three things:

1 Make cyber resilience the responsibility of a specific board member

2 Regularly review cyber risks and management at board level

3 Prepare a cyber incident response plan to rapidly contain and minimise the impact of an attack

Still, a board member who takes the lead on cyber risk doesn’t have to have a technology expert. In fact, the more cyber security is viewed and treated as a business risk and discussed in non-technical language the more we see boards engaging.

Putting cyber security on the agenda

Nowadays, board agendas should include cyber security reviews, presented by the lead of the company cyber risk committee. Non-executive directors (NEDs) with knowledge in this space and external security advisors should be appointed to attend meetings and play a more-active role. As was noted in our webinar, some companies have already taken this one step further and appointed a cyber risk security committee, chaired and attended by more than one NED or board executive.

We know it’s hard to keep security a priority all of the time. That's why our webinar panel believe it's so important to build it into your culture.;

We work closely with our partner RESILIA to provide pragmatic cyber solutions to help our clients build a positive cyber security culture as they continue to reshape the future of their organisations. Our solutions aren’t just about technology or expensive software, they will help to make cyber resilience a significant accessory to the reputation and performance of your business.

For support in embedding cyber security into your culture, get in touch with James Arthur.