21 Jul 2017

Adopting a proactive business approach to the cyber threat

Businesses today recognise the cyber threat but are unclear as to how to respond and governments should help them, Radware’s Carl Herberger tells defence writer Mark Lane.

Some striking results have emerged from a recent canvassing of businesses on cyber security.

US-based cyber security service provider Radware, which regularly surveys chief information officers (CIOs), this year tailored its survey for UK companies.

Businesses today recognise the cyber threat but are unclear as to how to respond and governments should help them, Radware’s Carl Herberger tells defence writer Mark Lane.

Carl Herberger

Carl Herberger, Vice President for Security Solutions at Radware, explains: “The response came back that the CIOs were more concerned about security than they were about Brexit, which was an interesting finding.”

Remarkably the survey was done some weeks before the cyber attack which paralysed much of the NHS and which highlighted the vulnerability of businesses and other organisations.

The C-Suite survey also revealed some interesting differences in attitudes on the two sides of the Atlantic.

“We looked at the perception of the UK CIO versus a US-based CIO and there were statistically significantly different perceptions about all sorts of things, from the role of government to their environment, and the instances of cyber attacks on their environments and who’s to blame and what to do about it,” says Herberger.

“The call for government action was much higher on the UK side than on the US side but the concern for privacy was much greater on the UK side.”

When CIOs were asked whether they were doing more in terms of security than last year, in both countries they reported much more activity this year.

“It was like there was a klaxon call to do things but in the UK it was dramatically bigger than in the US,” he adds.

The survey also threw up a desire for greater clarity on privacy and compliance controls.

Among UK companies there was considerable uncertainty over how to approach GDPR, the EU General Data Protection Regulation, which comes into force in May 2018 and which will impose tighter sanctions on businesses when it comes to security breaches and the risk or potential loss of personal data.

GDPR will also enforce breach-reporting requirements and punitive sanctions. For businesses, this means they will have to report any data breach within a 72-hour window or risk facing heavy fines of up to 4% of global turnover for failing to comply.

“There seems to me to be a general ’wait and see’ attitude,” says Herberger. “It’s something so overarching and there’s a lot of teeth in the law in terms of fines and the incredible amounts of money that can be levied against you for non-compliance.”

Brexit will make no difference. The new regulation will affect any organisation that processes EU citizen data, regardless of whether they are based in or outside of the EU.

This is just part of the potential cost of failing to provide for cyber security.

“Right now people are really underestimating the costs associated with IT security and cyber attacks,” warns Herberger. “People historically look back five or ten years and they think ’this too shall pass’ but the evidence – especially over the past five years – is that there’s probably no cheaper time to do what you are doing in security than right now. As we head into the future, it’s only going to get more expensive and more complicated and people are going to have less tolerance for people who are taking a more conservative approach in addressing these threats.”

He believes businesses should adopt a proactive approach and start putting controls in place without waiting for more evidence of the potential threat.

Herberger argues that the nature of the threat and the challenge depends on the nature and the size of the business. A big company has the resources and ability to recruit the right talent although their size can inhibit their ability to react quickly.

Middle-tier organisations might not face the same level of threat in terms of the nature of their own business, but they can provide the cyber attacker with a route into any larger organisation that they serve.

“With the small companies you often hear them say:, ‘We don’t truly know whether we even have a business until the adoption of our idea takes hold – we’ll worry about on-boarding all of these costs thereafter’.

Herberger believes that there is a clear role for governments in providing cyber security.

“They need to define a minimum set of safety procedures and standards that everybody has to adhere to, whether it be driving cars or flying planes, and I truly believe that at the moment governments are remiss in this area.”

He adds: “The internet doesn’t really respect the idea of domicile and I think there needs to be something like a Geneva Convention where we come together internationally and say something has to be done.”

 

 

If you would like to join our community and read more articles like this then please click here

 

 

 

 

The post Adopting a proactive business approach to the cyber threat appeared first on Defence Online.