21st Mar 2016

Why Boards Should Care About Cyber Security

Why Boards Should Care

In late 2015, a senior IT manager working For BlueScope Steel was made redundant. She went on to move to Singapore to start a management role at a competitor. What BlueScope's management discovered a short time later, was that the employee had copied gigabytes of data over a period of time to a portable drive. This included a copy of software that enabled significant efficiencies to the company, and in the hands of a competitor would represent a major loss of a unique competitive edge. In the words of one senior manager at the firm in a legal affidavit, losing its customised software to a rival firm would so badly damage them that it was not seeking penalties because "it was difficult to see how damages could adequately compensate BlueScope for the loss".

Losses like this occur every day in companies and government entities of all sizes, all over the world. News reports of data breaches, or hacks, have now become so common they are barely even noticed or even reported. Data from a 2015 report in the UK showed that 90% of large businesses had experienced a data breach. The average cost of each breach was between $2.9 million and $6.2 million. 

Why has this become such a huge problem? Think about what has happened to the world in the last couple of decades. Commerce, entertainment, government services, and seemingly every aspect of our lives has been transformed by technology. Some call this digital disruption. Information that previously resided in pages in a book, or on an audio or video tape, is now just ones and zeros, pieces of data generated and stored by software. But the world has moved beyond just storing that information in a hard drive somewhere. It now sits in “the cloud”, a nebulous term for the vast array of shared computing resources that organisations and individuals now routinely use to access everything from their morning paper to their friends latest holidays pics, to critical business data their employers provide for them to do their job. And they are accessing all of this from a plethora of devices - desk top computers, notebooks, tablets, smart phones, smart TV’s, cars, watches, eye glasses, fridges, and the list just gets longer and longer. 

What was once much simpler to secure, physical items such as paper books, and standalone mainframe computers, and actual money you could hold in your hand, is now something that is increasingly difficult to keep away from prying eyes and thieving hands. Everything in the world is connected, the good, the bad and the ugly. 

Think about what has happened to many industries in the last few years. Internet born companies, that is companies that arose from the internet age, have turned their relevant industries on their head. Companies like Amazon, Google, YouTube, Netflix and Uber. Many companies have been seriously damaged, lost massive chunks of their market or have gone broke as a direct result of the rise of these companies.

Consider Uber. Until only a few years ago if you wanted to use a taxi your choices were limited. You needed to make a call to book a taxi, or else just hail one on the street. Getting a taxi was not always easy, or pleasant. During busy times taxis were all taken. Taxis were not always clean, sadly sometimes the drivers too. Drivers were at times rude, or did not know their way around the city. Pricing for taxis has steadily risen, making it not a viable option for many, and the exhorbident fees charged for paying with a card did not help.

Then came along Uber. Suddenly you could just launch an app on your phone, chose a car and driver, and a polite owner driver, in a clean car, with a GPS app on his phone, could take you wherever you wanted at a dramatically reduced price. Overnight the taxi industry has been decimated. Even though Uber and similar companies have only been operating a couple of years, and not even fully legalised in many, they have already taken up to 40% of the market.

How did the managers and boards of taxi companies let this happen. How did they not see this coming? Why did companies such as Walmart in the USA not foresee that Amazon was coming to get their customers, and act to change their business model? Take a look at the management teams and boards of the internet born companies. Now take a look at the same for other older, established companies. The key difference you will always find is that the companies that are experiencing massive and rapid success have digital savvy boards. They have people in key positions that understand the world of the internet, mobility, and how to use this explosion in technology to create enormous business growth.

Of course, some older companies have done a sterling job of reinventing themselves in order to survive, and even grow. Executives and boards in these companies have realised that they needed to educate themselves on the digital world, and adapt their businesses to take advantage of these changes. They have had to learn how to get the IT teams out of the basement and integrate them into the commercial teams in their business. CIO’s are being expected to be more than just the leader of the IT teams. They now need to advise the board on how they can use technology to grow the business, delight their customers and drive efficiencies.

Through all of this change, what has often been neglected is to ask the question, how do we continue to protect our assets? For many organisations their most valuable asset is now their digital assets. In the example of BlueScope, they changed from being company whose assets were non digital, like plant, equipment and stock, to one that now had a very valuable digital asset in the form of software. Apparently no one at a senior level in the company looked closely enought t how easy it would be to steal this asset? Probably this company spends a lot on physical security, making sure no one can just drive a truck into one of their warehouses and help themselves to some steel supplies. Yet no one on the board or senior management understood the transformation they had undergone well enough to take the same measures to protect their digital assets. 

In most organisations the IT teams have been tasked with IT security, But the mindset of an IT person, even a senior IT Manager, is generally very different  to a member of a board. They are not responsible for shareholder value. They  understand better than most the Cyber risks threatening their company, but they are not professional risk managers. They do not occupy their days concerning themselves with corporate governance. And in the case of the aforementioned BlueScope, the threat was an IT manager! 

Every company is at risk. This risk is clearly foreseeable. Their is no excuse for a company and its board for not being prepared for this risk. All boards, all senior executives, need to educate themselves on what the risks are, what they can do to protect their companies, and deliver the value to their shareholders that they have a responsibility to provide.

← Back