George Quigley, cyber risk consultant with foulkon.com and KPMG ex-partner, provides insights into cyber risk.
Cyber security breaches have become more common in recent years. The underlying root cause seems to be the continuing ease which with bad actors can infiltrate systems and the many and varied ways that they can “cash out” their ill gotten gains. Clearly bad actors care about cyber security. Does your business?
There are a number of reasons why businesses seem to care less than the attackers. Three common ones are:
Whenever a cyber breach occurs there is a view that is it the result of a “sophisticated” cyber attack. The implication is that cyber breaches are inevitable and too difficult to counter. The reality is that whilst there are some sophisticated attacks, most breaches are not due to a sophisticated attack. The ratio of sophisticated attacks to non sophisticated is quite low. Understanding your specific cyber security risks will allow you to put in place controls that counter your risks.
Many factors influence share price. There is a view that a cyber breach has a limited effect on a share price, but overall it has no real impact. Share prices fall on the announcement of a breach then recover after a period, eventually exceeding the share price at the time of the breach. This view overlooks the fact that shares move relative to the market. There is some evidence to suggest that the share price rise is lower than it should have been, based on market movement, meaning that the shares are actually underperforming the level they should have achieved.
It appears that cyber breaches have a limited impact on the business affected. They continue to operate and, although they suffer some disruption, they don’t go into terminal decline. That view ignores the significant work (and cost) that happens behind the scenes. It also ignores the increasing trend of consumers becoming more vocal, which increases the likelihood of legal action and / or a loss of sales.
It is likely that the current trend of increasing breaches will continue until business cares more about cyber security than the bad actors. It makes sense to revisit your business risks arising from a cyber security incident in order to make sure that you have the appropriate controls in place.
It’s time to care.