- Security TWENTY
- Women in Security
Unless you invest in innovation, your share price is at risk from cyber crime, writes Sam Hutton, CTO at Glasswall Solutions, an email security product company.
Around the world, businesses are nervously watching for the next cyber attack in the wake of WannaCry, the ransomware that locked up the data in some very large businesses, such as Telefonica in Spain.
The widespread nature of this attack should have driven another nail into the coffin of corporate complacency on cyber crime. Although the individual ransom demands appear to have been relatively small, the cost in terms of disruption and reputational damage is potentially very considerable. What is often underplayed in discussions about cyber attacks is their effect on shareholder value. A report from Oxford Economics in April addressed this important question. Its authors calculated that attacks on companies around the world have cost investors £42 billion in total, with FTSE 100 companies having to bear the burden of an average of £120 million costs for each incident.
The researchers analysed 65 of most serious cyber security breaches since 2013 and found that such was the seriousness of the impact from an attack, a firm’s share price suffered an average 1.8 per cent drop from which it did not recover. Some companies saw a crash in valuation of as much as 15 per cent. The figures were arrived at through careful analysis of post-attack performance when measured against a control group that had managed to avoid being breached. There is nothing new in saying cyber criminality represents a huge threat to the reputation of a company. The Oxford Economics Report does however, give us some hard evidence of the effect on the share price and investor confidence, as markets step back to assess a company’s future profitability and weigh up how it will be affected by an attack.
Business wakes up
Of course any company that has lost data to criminals or been breached by hackers faces costs that cover everything from using consultants for remediation, to restoring the public profile and quite possibly, dealing with compensation claims. And of course, there is the cost of installing new technology to make doubly sure that no further attacks are successful.
It has taken a while but business is waking up to the fact that failures in cyber security are one of the biggest threats to the bottom line and a company’s longer-term reputation among investors. The scale of the threat is being taken incredibly seriously. Earlier this year it was discussed at length at the World Economic Forum (WEC). For many of those attending, it was the biggest challenge facing the world’s technology industries. Others warned that fear of data breaches is causing organisations to hold off investment in technology that they need for their growth. In an attempt to deal with these problems, governments are placing ever more focus on cyber security awareness and advising on best practice. Last year in the UK, for example, the Chancellor of the Exchequer outlined a five-step plan to increase cyber security. In the US, the proposed Cybersecurity Disclosure Act would require public companies to give reasons for not having a cyber security expert on the board. In the EU, after the European General Data Protection Act comes into effect in 2018, organisations will risk eye-watering fines if they suffer data breaches or are found to be negligent around security.
Not surprising then that Chief Information Security Officers (CISOs) are under pressure to be innovative and to find new, but cost-effective, solutions. They are increasingly aware that they will be held accountable in the event of a serious data or security breach. There remains, however, the strong suspicion that boards do not always listen or are still not fully aware of what is required to combat cyber threats effectively. The cyber insurance market is predicted to hit $7.5 billion by 2020, with nearly one third of US companies having such policies. It is very likely that in many instances this is not driven so much by the CISO as the Chief Financial or Risk Officer. Buying insurance to mitigate the after-effects of a successful cyber attack is a form of defeatism, after all. An admission that a successful attack is a very distinct possibility.
What our major businesses need now is for boards to take more active participation in the whole issue and wake up to the fact that a data breach or ransomware attack is not inevitable. Sadly, many CISOs are struggling to get the message across. A survey of IT and business leaders in 20 countries by the consultancy Control Risks found that less than half do not believe their boards are capable of managing cyber threats effectively. The advice is for CISOs to communicate with their boards in plain English, even if they do risk patronising their bosses and colleagues.
If the new focus on cyber security is to work, however, all involved need to realise that constantly-evolving threats require constant innovation, rather than just post-infection sticking plasters. Criminals have moved on from what are commonly called signature-based threats and are now altering the structure of common file-types. This is a mechanism for defeating existing security and anti-virus solutions in order to breach an organisation’s defences. These perpetrators are sophisticated professionals and shadowy arms-length state organisations with significant resources dedicated to ransom or theft, whether of money or intellectual property. When faced with such ingenuity, legitimate businesses cannot afford to fall behind in the race to innovate and need to reassess their level of skill and motivation.
Most fundamental of all, CISOs have to make their boards understand that traditional signature-based AV security is no longer a safeguard. They must make the case for investment in real innovation, which is the only sure way of defeating cyber attacks. With more than 90 per cent of successful breaches beginning with malicious code hidden in email attachments, it is time for businesses to deploy innovative technologies such as file-regeneration. This keeps threats locked outside the organisation, thanks to its ability to match the common file-types we use in attachments against manufacturers’ standards. In less than a second it rebuilds them as clean versions before allowing them into the business in line with risk policy.
Besides blocking out all threats – known and evolving, one of the great benefits of file-regeneration is that it puts organisations back in control. It this kind of innovative approach that major businesses need if we are to prevent criminals from destroying investor value by taking huge byte-size chunks out of share prices.