By Paul Taylor, Partner and UK Head of Cyber Security at KPMG
The business landscape today is filled with companies aiming to out-innovate the competition through the creation and adoption of new technologies. Businesses are trying to become more efficient and productive through updating infrastructure, digitising more of the business, and integrating automation. At the moment, technological advancement is doing everything from helping to improve the speed and accuracy of medical diagnoses, to supporting the development of driverless vehicles with automated control systems to automatically determine the most efficient routes for drivers. Rail networks are even implementing cab signalling and traffic management systems to make trains more efficient. The drive to innovate is alive across most UK sectors and this plays an integral part in supporting our economy.
However, the race to beat the competition can sometimes leave other priorities – like cyber security – side-lined, leading to vulnerabilities that can have serious consequences which are often financial. With trends like the internet of things blurring the lines between devices and systems, this issue is exacerbated as the attack surface of organisations effectively expands.
These vulnerabilities are leaving doors open to the growing number of opportunistic and sophisticated cyber criminals that are investing their time and energy into new technologies, creating a big risk that businesses are having to contend with. The impact of not taking cybersecurity into consideration is clear to all, when you consider the devastation that can be caused by hacking and interfering with a rail network’s signalling, or changing the course of a driverless vehicle, as well as the huge financial impact to a company.
Businesses are working too fast when innovating that the consideration for cyber security is often coming into the equation too late – leading to reputational consequences as well as financial. The consequences of a lack of cyber-resilience have been widely reported. The commonly reported Sony hack a few years ago was due to criminals taking advantage of a Zero-Day vulnerability, leading to the network being pummelled and highly sensitive information about the company being leaked. Fiat Chrysler also had to recall 1.4 million cars in 2015 after it was discovered that a vehicle’s entertainment system could be hacked. But this issue hasn’t lessened in the last few years. In the UK last year, the rail network was also targeted by hackers at least four times, which highlighted what cyber criminals have the power to do – from using software to provide incorrect guidance to trains to telling them to speed up instead of slow down. In addition, at DEF CON this year, hackers were able to exploit vulnerabilities in five different types of voting machines, with the first ones being discovered within just an hour and a half.
The issue in the past has been that cyber security has been seen as a routine operation or consideration for the IT department. Now more than ever, it needs to be seen for what it really is – a business risk, and an integral part of a company’s risk register. A recent white paper published by the world’s largest body of infosecurity professionals, (ISC)2, entitled ‘What Every Business Leader Should Know About Cyber Risk’ outlines that businesses need to be incorporating cybersecurity into wider business planning, by taking steps to halt projects where cyber risk has not been adequately considered, mandating cyber risk assessment for all new IT] related projects and also promoting a culture that focuses on building security within design. Ensuring that the CISO is a key part of risk evaluation is also a critical step to building a safer organisation, and any operations that are being changed, or integrated should be prioritised and assessed for cyber vulnerabilities.
The adoption and development of new technologies is expected to speed up and continue to change businesses and the economy. It’s paramount to ensure that all potential vulnerabilities that come in the wake of so much change are firstly considered and then managed to stay ahead of the cyber attacks which today should be anticipated as inevitable. The best way to mitigate the risks is to ensure open lines of communication across job functions, including the financial team, so they can work together to keep the business as safe as possible as they pursue innovation.
Overall, cyber risk is the responsibility of business leaders as well as the cyber professionals.