Are cyber security warnings falling on deaf ears?
Enterprises are facing a tough environment. Bills are rising, and the threat of a recession still looms, but there is still huge demand for tech upgrades to deal with problems revealed by the Covid-19 pandemic.
Facing all of those concerns, executives have also been warned that industry needs a massive rethink on its existing approach to cyber security.
The warning, from research titans Gartner, isn’t uncommon in the tech world. Study after study has revealed that cyber threats are growing.
A prime example is from Vodafone, who found that more than half of SMEs in the UK had experienced some form of cyber-attack in 2022, 18% said their business was not protected with cybersecurity software, and almost 1-in-5 (19%) said that an average cyber-attack could cost their business over four grand.
Similarly, a Deloitte Center for Controllership poll found that over a third of polled executives report that their organisations’ accounting and financial data were targeted by cyber adversaries in 2022. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one. But are these warnings being taken seriously by the people at the top?
Talking to a Brick (Fire)wall
The statistics build up paint a picture of continuingly neglectful behaviour on the part of those running businesses.
Yet, the truth is more complicated. While businesses may put in place protections for their customers, MultiPass CEO Deniss Skokovs says that the attack landscape is constantly evolving, and the biggest challenge is just keeping up.
“Cyber Security is a huge issue for businesses, not just for the impact a breach could have, but the potentially business-ending fines that could serve as a punishment. Despite this, reports give the impression that a lot of businesses are still not doing enough to protect themselves and their customers.
“Businesses need to regularly assess their cybersecurity posture and identify areas where they can improve. They could do more by investing in employee training and awareness programs to educate their workforce on cyber threats and best practices for preventing cyber-attacks.”
Those are bleak words from Skokovs, and not doing enough is a serious accusation. According to Andy Haywood, non-executive director of Panache Cruises, the exposure that businesses may face is one of the key contributing factors when businesses decide to address cyber security.
“Given the significant breaches that we’ve seen, security breaches pose a huge risk for a travel firm, who trade on our ability to be financially secure.
“I think one of the challenges is that if something costs money you’re going to damage profits, which is why I think some companies have perhaps been a little bit frosty when it comes to investment.
“But I think that the high exposure of these recent cases has changed that mindset within the travel industry, and if people weren’t taking it seriously before, they certainly are now.”
The common theme is that cyber security is a business decision, not a necessity. As Tom Wood, CEO of carandclassic.com points out, the consequences of a breach have been demonstrated many times, but cyber security is seen in the same vein as insurance.
“Businesses need a reason to invest, there’s less time and money for doing things for the sake of it, but I think we’ve all seen lots of high profile breaches and understand the damage that they can do, so the protection cyber security provides is seen as an insurance policy.”
Phishing in a dry lake
The awareness is there then, but knowing you have a problem doesn’t mean you have a fix.
Of the CEOs interviewed by Istari and the University of Oxford for The CEO Report on Cyber Resilience published earlier this year, 100% of CEOs feel accountable for cyber resilience, and yet only 28% said they felt comfortable making decisions in the area of cyber security.
The solution for this problem is often found in the partnerships that are struck for technology solutions like connectivity and payment systems, as Wood outlines.
“When businesses are selecting vendors, if they’re doing it with cybersecurity in mind, they’re less likely to be affected by breaches. It’s more about minimising that risk that is the key.
“We don’t invest in security because it sounds nice, I genuinely want to keep our customers safe and I want to avoid the risk of any breaches that can be damaging.”
“Increasingly, businesses are choosing partners who have the best level of protection and invest in security and protecting their clients,” added Haywood. “If the business manages a database or is taking payments over a website, then they will rely on third parties to make sure that everything is secure.
“It’s about making sure you have the right protection, but businesses must also trust someone to review the risk and make sure that partners are not vulnerable.”
Change in attack
At the heart of the problem is that those running businesses know that “anything that affects profits is paramount” and the cost needs to be justified. Yet, after decades of hacks and warnings, the message just isn’t getting through.
“I still don’t think cyber security is taken seriously enough,” said Wood, “and part of the problem is the people selling it aren’t necessarily making it easy to buy.
“Companies need to be more open to cyber security protection, assign budget to it, and take it seriously. But the security vendors could do a better job of explaining what it is and how it can help, and not just talk about risk reduction.”
According to Skokovs, the cyber security industry not only needs to do a better job of getting across the importance of their solutions, but “think of a new way to express the importance of tight security”.
“While the importance of cyber security is widely recognised, many individuals and organisations still view it as an afterthought or an unnecessary expense. The traditional methods of communicating the importance of cybersecurity, using technical jargon and emphasising the potential consequences of a breach, have not been entirely effective in changing this mindset.
“Additionally, the industry could leverage more relatable and compelling examples to illustrate the real-world impact of cyber threats, such as how cyber-attacks can compromise critical infrastructure, disrupt supply chains, and affect public health and safety.
“By adopting a new way of communicating the importance of tight security, the cybersecurity industry can better engage and motivate individuals and organisations to prioritise cybersecurity and take proactive measures to protect themselves from cyber threats.”
Subscribe to our Editor's weekly newsletter