This may be a surprise, but you’ve almost certainly already been hacked and lost data. Ignoring the cyber security threat is not an option.
Sovereign wealth funds and their interests are as much a target for hackers as any other organisation. Your counterparties, stakeholders, suppliers of outsourced services are also at risk of hacking and data breaches. And they can be surprisingly vulnerable.
Even entities you might expect to have robust defences have succumbed to security breaches. Victims include an Iranian nuclear power plant and JP Morgan, which lost a vast amount of data in the US. Another high profile example is HSBC, which suffered the theft of information by a systems administrator, who then passed it on to the government – resulting in the targeting by tax authorities of offshore bank accounts.
According to the UK government’s 2015 Information Security Breaches Survey, 90% of large organisations and 74% of small businesses reported they had suffered a security breach (up from 81% and 60% respectively the year before). Meanwhile, the World Economic Forum has identified the risk of large-scale cyber attacks as above average in terms of both impact and likelihood. As the WEF notes, the risk is particularly acute because of the growth of internet connectivity, and the increasing amount of personal data being stored in the cloud. Global regulators are also waking up to this threat, and the press continues to publicise breaches. All of which contributes to a significant operational, financial, regulatory and reputational threat.
Having established that the threat is real, what can you do?
Firstly, it’s important to understand that cyber security is not an issue to be delegated to an IT function. It’s an issue that needs to be addressed by those in charge. Countering the threat begins with understanding what information you are holding and processing – and what information is really important to you. For example, some might think that emails have relatively low importance. But in fact, emails can contain material (such as personal opinions) that would be embarrassing if in the public domain.
Other questions to consider include, who are you trying to protect yourself from? You face both an external and an internal threat. Breaches could occur through either malice or error. Think too about the various parties involved in processing your data. There are likely to be multiple parties involved in your supply chain, and each party could represent a weak link.
A cyber security attack can have huge impact and dealing with it is challenging. If you still have any doubts, we can run a scenario exercise based on real-life cases. Over a couple of hours, the scale of the problem may become worryingly apparent.
For further information please contact Steve Williams.