How to achieve effective cyber security in a hyperconnected world

JC Gaillard of Corix Partners casts a critical eye over the findings of last year's World Economic Forum research into cyber security

Last year's World Economic Forum report, Risk and Responsibility in a Hyperconnected World, highlights the increased need for a "robust, coordinated system of global cyber resilience" to mitigate the risks associated with cyber crime and cyber attacks. In a world that's shrinking by the minute, as the internet increasingly caters to instantaneous communication and global data access, security measures and governance need to go hand-in-hand and are paramount in addressing cyber risk.

Everyday in the field, we at Corix Partners come across businesses who lack the cyber security measures to effectively counter the threat of cyber attacks. While cyber criminals have stepped up their game over time, many businesses have fallen behind and lack the corporate culture to properly address the threats at the same level. The issue of cyber security's low maturity levels, particularly among industries handling large volumes of data, is starting to gain widespread recognition.

Shockingly, GCHQ estimates that "80 per cent of cyber attacks in Britain are due to a failure to implement basic internet security" (Fraser Nelson, Daily Telegraph).

Large corporations have been guilty of focusing excessively on a tactical and reactive response to cyber security challenges and have relied excessively on purely technological solutions - throwing money at technical quick fixes instead of addressing long-term underlying structural problems.

How can the risk of cyber crime be addressed sustainably?

The 2014 World Economic Forum report revealed that half of the respondents to the survey spend in excess of three per cent of their total IT budget on cyber security (with many spending more than five per cent - and some up to seven per cent). When you consider that most of the firms surveyed had a market cap in excess of $5bn, these percentages represent a huge amount of money. Why, then, are the vast majority (80 per cent) of cyber attacks due to a lack of basic internet security?

The fact of the matter is that these vast sums of money are being spent on ticking arbitrary audit boxes or trying to deploy over-engineered technical good practices - often without much success. Instead, enterprises should be focusing on building simple, lasting controls that would protect corporations against real threats.

A strong wall of security extends far beyond any software or hardware solution. True protection against the ever-present risk of cyber attacks must be business-wide, and can only stem from strengthened internal governance. Where cyber maturity levels have been low for a long time, only structural transformations and cultural changes, taking place across an organisation, can provide a lasting solution.

Can we estimate the economic impact of cyber crime?

The 2014 World Economic Forum report aims to put a true price on the cost of cyber crime, and estimates that, between present day and 2020, the global economy could lose out on up to $3tr of economic value. This puts the issue of cyber security in a truly economic perspective - and these figures aim to get the attention of global business and world leaders, compelling them to take action. However, while this economic standpoint is interesting, will it be enough to push corporations and governments to step up their game?

The report positions cyber security in a true economic perspective, but the absence of broader macro-economic data makes its conclusions easy to challenge.

The report bases its estimate on research from the McKinsey Global Institute and assumed that currently foreseeable technological innovations could create (broadly) between $10tr and $20tr of economic value by 2020. Even assuming a maximum impact for cyber attacks, it leaves value creation somewhere between $7tr and $17tr - that's more than $1tr per year in the lead-up to 2020.

While these figures represent a staggering amount at face value, the report fails to offer any broader macro-economic perspective and it's therefore difficult to gauge whether its conclusions are accurate or indeed justified.

How accurate is the report?

First of all, the complexity of the topic makes it essential for all economic actors to work together in synergy to avoid the most damaging scenarios. To achieve that, it is crucial for them to have a transparent, common and thorough understanding of the concepts involved in addressing the issues surrounding cyber security. However, from examining the report, it quickly becomes unclear as to whether this is the case.

It's difficult to see how value-destroying scenarios can be avoided without more rigour around key concepts and less denial around the true historical perspective of the problem.

The report's use of language is at times inconsistent, possibly indicating an underlying degree of confusion between its contributors. In particular, the term "risk" is used throughout, but without the meticulousness required for its proper usage in each particular context. In some instances, it's used to specifically refer to an event (something that could go wrong or cause harm and its likelihood or impact), and in other occurrences it refers to more general uncertainty. In less careful instances, it's even been used entirely incorrectly - for example, referring to the concept of cyber resilience as a "risk". These simple misunderstandings bring into question the report's overall authority.

In addition to this, the report fails to clearly define many of the numerous concepts discussed throughout. Even when attempts have been made to provide definitions, it has resulted in inaccuracies. For example, "cyber attacks" don't refer exclusively to the internet and external threats. Very often, in fact, insiders are involved - placing great importance on the need for adequate internal controls within businesses. The content of earlier documentation produced by the Partnership for Cyber Resilience also features similar inaccuracies and confusion.

While these criticisms may seem like a pedantic take on the language used, in any collaborative effort on this scale, it's essential that all economic actors involved share a clear understanding of the key concepts and the rigour required in both approaching and presenting these.

Further to the issues of clarity and consistency, the 2014 report presents cyber security as a "fairly nascent topic". We disagree and strongly believe that the roots of the problems extend far beyond the timescales suggested in the report.

In the language of the report, the "I Love You", "Code Red", "Nimda" or "Slammer" virus outbreaks of 10-15 years ago could easily fit the bill of cyber attacks today. Many recommendations made in the report, in particular in the ‘institutional readiness' section, revolve around concepts that could easily be derived from the spirit of ISO 27000 series - concepts that also date back 10 to 15 years.

Why is cyber security so far behind?

To understand the true reasons behind the identified low levels of cyber security maturity, it's essential to put them into the correct historical perspective. Why is it that so many large corporates have spent so much to achieve so little in that space, and over such a long period of time?

According to the survey, 80 per cent of the respondents had yet to reach a mature stage. It therefore becomes clear that the approach they have taken over the past 10 to 15 years to address cyber security challenges is not working.

Without identifying the roadblocks that have prevented more substantial progress over the past 10 to 15 years (and removing or neutralising them), the likelihood of any immediate or significant progress being made over the short term in the corporate world is very low - and a natural drift towards value-destroying scenarios seems unavoidable.

Our view is that these roadblocks lie in the historical, inadequate governance and organisational arrangements surrounding cyber security in large corporations - and the absence of sustained medium- to long-term security vision and investment plans. Until they address these, large corporations will continue to be exposed, continue to react after the facts and will continue to rely - at great expense - on short-term technical point solutions.

Internal and external audit functions must also examine their own role in this and, where cyber security maturity is low, start pushing executive management towards the long-term structural transformation of their approach - instead of arbitrary technical quick wins.

JC Gaillard, Corix Partners