If you are currently sitting in your office reviewing risk for 2016 and thinking that the biggest cyber threat is a 15-year-old leaking customer credit card numbers, think again.
Cyber attackers are increasingly sophisticated. They can break onto a corporate network very stealthily and give very little indication they are there, making nano-second movements in a month. They are almost impossible to detect.
So now imagine that instead of trying to steal data, they alter it instead. Perhaps, it is bank account information, or maybe numbers on a balance sheet. And, because the process is so subtle, this goes unnoticed for months or years. And when the attackers tell you this has happened, you don’t have a way of recovering the accurate data because this has gone on so long that you can’t trust your back up files.
This isn’t science fiction. Sophisticated cyber attackers can do this today. And until companies recognise this real and present danger, hackers will have the potential to undermine the trust we place in our institutions.
Businesses are already in the firing line. Over the past month we’ve seen breaches at TalkTalk, Vodafone and Morgan Stanley, surveys highlighting the cost of cyber defence and a culture in which the government is struggling to bring new regulations into effect.
It’s clear that most companies are ill-equipped to deal with this ’new normal’. When the director of GCHQ Robert Hannigan addressed the business community at the CBI conference last week, he rightly chastised his audience for not taking the threat seriously enough.
The numbers are stark – of the 3.5 million registered companies in the UK, only 1,200 are reported to have signed up to GCHQ’s Cyber Essentials programme, which helps companies protect themselves from the ever-evolving cyber threats.
This is a shocking statistic, not least because the penalties for failing to properly deal with a breach are so huge: reputational damage, customer loss, plunging share prices and senior level job losses.
I’ve been in a number of conversations recently where the likelihood of regulation has been aired. If companies don’t become more proactive governments will be forced to act. And we’re already starting to see proposals coalescing.
A glimpse into the not-so-distant future, the New York banking regulator proposed last week that companies have to create written policies on customer data privacy, their network security and that of their supply chains. The proposals also include the mandatory appointment of a chief information security officer, who would be responsible for documenting all of this in an annual report. I see these sorts of regulations as inevitable - and not just in the US or the financial sector.
But rather than wait for regulation to come, businesses should take the lead on cyber security. Faced with an anxious public that has a highly skeptical view of business in general, it is up to companies to demonstrate why they deserve the trust their customers place in them. FTSE 100 company boards should demand corporate executives explain what measures they are putting in place to protect their shareholders’ interests.
This can be a daunting prospect for directors that have historically viewed IT as unintelligible and beyond their reach. But instead of hiding behind the complexity of internal processes, I strongly urge companies to acknowledge that this has become a matter of priority for corporate governance. Cyber security should be evaluated right alongside other items in risk and compliance and prioritised accordingly.
Complacency is not an option and the risks go far beyond any one company. If boards don’t act, they only have themselves to blame.
Dr Mike Lynch is founder of Invoke Capital and founder and former CEO of Autonomy.