Blog : BOARD TALK
|Posted on January 5, 2014 at 1:00 PM|
Cyber risk is not about to go away - why are we not hearing a lot more about it ?
All FTSE 350 boardrooms should be paying extra close attention. Some of them may well be doing so, but all the surveys, media coverage and reports I have read in the last three months suggest that for most senior management and non-executive directors, it is just too far out of their comfort zone for them to stretch to it.
It is well worth reading the EY Global Information Security Survey 2013 - only you might not sleep well afterwards. A paltry 17% of respondents said their information security department met the company's needs. (my emphasis)
News from Lloyd's of London in 2014 makes for uncomfortable reading. It begins by saying "Industrial facilities from nuclear plants to dams are increasingly coming under attack from cyber terrorists bent on causing physical damage and disruption from behind their computer terminals."
It also quotes Rick Welsh, Head of Cyber Insurance at specialist utilities and energy industry insurer Aegis as saying: "For the moment the risk is still in the low vulnerablity but high threat quadrant, but that will be subject to change in next year or two...We've been told of quite a few attacks that have been successful but the scope of the damage has been kept out of the press and downplayed. No-one wants to talk about it - particularly when it concerns critical infrastructure."
Agreed. What actually happened recently on December 7 when many UK flights were delayed ? It was described as a 'glitch' - which frankly, sounded ridiculous. Then we have RBS 'glitches' with non-functioning ATMs for customers - and of course the media RBS bashers go on a particular offensive, rather than wonder about information security in the financial services sector in general. Anyone who has folllowed it for the last 20 years know just how silo-ed it is in terms of decision making - including IT upgrades.
And yesterday - this 'technical glitch' at Tesco. Really ? What is this media obsession with the word 'glitch'?
My trusty Oxford English Dictionary to the rescue: (yes, I looked it up in the hard copy)
GLITCH: 'a sudden, usually temporary malfunction or fault of equipment - an unexpected setback
OR ' a brief irregularity in the rotation of a pulsar.'
Know what? I don't think it is either in these cases....and nor do I believe that this is in any way a 'temporary malfunction' for business.
I have no wish to plant fear - but perhaps that is exactly what we need to feel to get moving on collaborating on this issue. And collaboration is key.
This UK Government is on the record with many plans to be the world leader in Cyber Security. Unfortunately, the Minister with responsibility for that is Francis Maude - the same man who suggested we save petrol in jerrycans in our garages ahead of a threatened fuel tankers strike in 2012. So please forgive my concern.
I am on the record as a fan of integrated reporting. I watched this clip of Paul Druckman, CEO of the International Integrated Reporting Council (IIRC) this morning off Twitter, and listened to him talk about software companies and putting a valuation on their Intellectual Property. And I wondered if integrated reporting is one way forward for boardrooms in dealing with Cyber Risk and Cyber Security.
I believe I am seeing him on a panel soon - I will have to ask him. Watch this space.
And Happy New Year.