Cyber risks – fast moving shift from film to fact
But what the survey did highlight was subtle changes demonstrating that slowly we are managing to create a bridge between technology, security and business.
To step back, let’s consider where these threats are coming from.
Technology is all pervading in life – smartphones, smart TV’s, connected cars, smart meters – seemingly everything is connected and online. WiFi, for many, is even considered a fundamental life requirement.
But this creeping technology reliance is forcing some behaviours and threats to emerge into society and business which, in all honesty, were the reserve of movies and intelligence agents a handful of years ago.
As incidents become more prevalent and daring and general awareness grows, businesses are struggling to understand and contextualise complex technical threats, simple human attacks and persistent, silent compromises into the simple question – What does this mean for my business?
Cyber threat doesn’t follow the usual rules of risk.
Instead, it will continue to increase and decrease based on events totally outside your control and visibility. With no notice your technology and people can suddenly be exposed and compromised and will remain so for around 200 days before being detected.
Legal risk is pivoting with the recent Safe harbour ruling being overturned and huge changes to privacy laws in the pipeline. These have the potential to massively impact those Scottish companies operating globally, and I doubt that many have this on their risk radar at the moment or understand the legal implications of these changes.
I am sympathetic to businesses as this is a wide and deep set of issues to grapple.
In many regards, Scotland is no different to other countries but we do have specific hotspots: utilities, oil and gas and financial services, major industry cogs in the Scottish economic engine, are the most disrupted and targeted industries.
While investment has been forthcoming we are still lagging badly on seeing cyber risk as a business challenge, not a technical investment.
Boards and executive teams could do worse than get someone at their top table who can lead them through the process of ‘black hat’ thinking for the business. This just might unlock the key to working out what this really means for their organisation and let them understand where, what and how they plug the gaps.
One thing is for sure, the 2017 survey will show us that this is an ever increasing threat, there will be more major data loss events (with the consequence of punitive fines), financial targeted attacks will continue to be successful and cyber criminals will evolve much faster than we can ever think to respond.
The question is, will organisations grasp the nettle and do enough in the intervening 12 months to not only identify and understand what this truly means for their business, but begin to define a strategy that will enable them to deal with this prevalent risk and minimise the impact? Only time will tell.
Colin Slater is the cyber security partner at PwC in Scotland