Once upon a time, computers were huge, heavy, and expensive and only available to a very few companies. Businesses that had access to a computer soon found out that they could outperform their competition with ease. That meant that soon everyone wanted a computer, office by office, and desk by desk, computers started to be used in every part of every business.
But computers are complicated, and businesses found out that they needed new skills to keep their computers working to ensure their businesses benefited from the new information technology (IT). When computers broke, or could not be maintained, businesses quickly realized that they lost money, so they invested in making their computers more reliable and keeping their systems more available than their competitors.
Just keeping IT working well is an immensely difficult thing to do, but companies that could afford to do it stayed in business longer than those that could not. For these businesses IT reliability became a business risk and hence it became good business practice for it to be managed just like any other commercial threat.
And then, as computers started to be connected to other computers the internet arrived. Businesses that could “get online” could now conduct their business directly between computers, the opportunities were immense and so were the profits. Of course whenever there are people who work at making a profit there are always people who want the profit without the work, and so digital crime became a problem too.
So in addition to the IT risk businesses had learned to manage, preventing losses from the growing rise in theft and fraud using computers became just another risk for businesses to manage. It was in this era, almost 30 years ago, that the term password began to appear as a common business term. Even then it’s use was often mistakenly assumed to infer a sense of security by those using it.
Just keeping an IT system working is a difficult enough task. For your infrastructure to be reliable available and cost-effective a business needs to take special effort to ensure that this can happen. Businesses that chose to use cheap IT always found out that too cheap was always more expensive. But that is a different story about business economics.
Our story though really begins in the early years of the 21st-century as the cost of electronics fell and allowed the creation of small portable electronic devices. Initially these devices were expensive mobile phones and portable laptops only accessible to business. But within the first ten years of the new century as technology costs continued to fall, battery capacity improved, and mobile communications became affordable the smart phone became a thing. A pocket sized internet connected computer that everybody reading this tale owns at least one of.
Almost at the speed of thought a connected customer became able contact retailers and suppliers, designers could commission designs, orders, payments, and banking could happen in seconds, businesses became able to scale as fast as they could connect customers. Online assessment and comparison allowed instant value, both for the vendor and the customer. Every element of a commercial transaction had become a data element. But within that digitalisation of value came a subtle evolution in the way every business operated.
As data became business and business became data, the use and enrichment of that data became a business in its own right. Data had always represented an object with value, but now data itself had value in and of itself. Applications and application software became the vehicle through which data was collected, enriched, manipulated, presented and traded. The better the software, the more profitable the business.
As many years of IT experience had taught many businesses some software was better written than others, and the better written the software, the greater the benefit, and the less risk to a business of using it. But the ease and speed with which anyone, or any organisation, could become an online presence, or engage with their customers, partners or even citizens online allowed any type of software to be written or copied and an internet presence to be created in an instant, allowing almost any kind of data to be collected and manipulated.
Unfortunately as with anything of value, data itself now became a target of criminals seeking to steal its value, or to sufficiently damage it so others could benefit from its loss of value. This type of digitally enabled criminality earned its own new name “Cyber Crime”. Which in turn gave rise to the field of Cyber Security, focussing on the technology and processes required to protect a business and prevent losses through cyber crime. Cyber Security itself is a highly complex function, and although its objectives are massively different to IT, its technical components often lead to it being placed within the IT department, sometime even being called IT Security.
Already stretched IT departments struggle to face up to the demands of cyber security, some are able to, but many in spite of massive investment and effort are not. As cyber breaches continue to make headlines, and companies both large and small have their customer data stolen, or become victims to massive ransomware attacks. As the personal and private data of citizens and businesses alike continue to be stolen, compromised, and used for identity theft and fraud. As critical national infrastructure and healthcare facilities are taken offline, or even destroyed, and as even the regulators themselves fall victim to such attacks, questions are being asked as to why many businesses remain able to safely conduct business even as they endure targeted cyber attacks, but others that invest just as much, or more, appear to have no effective defences and fall prey to even the simplest cyber threat?
When examined more closely certain trends do reveal themselves. Cyber Risk is globally recognised as a fundamental threat to both business and social growth and represents a major threat to stable economies. Almost every business, small or large, has some level of risk reporting that now includes Cyber Risk as a business affecting element. Not surprisingly how and where cyber risk is reported, how it is measured and where the responsibility for it’s management resides has a massive affect on how well active cyber threats will be managed.
Unlike most of the other operational risks a business faces Cyber risk is subtly different. Whereas many risks are based on opportunity, environmental circumstances, availability of finance, use of technology, and other competitive factors that may happen to prevent achievement of business objectives; Cyber Risk is unique in that it is an adversarial risk – in that someone is actively trying to destroy or damage your business. Regardless of what your business does, whether you make or sell goods, provide services to your citizens, operate a national energy service, or a hospital, or simply run a university; a cyber criminal will still attack you.
So why is cyber risk different? As businesses have digitalised the risk management processes and procedures that they have built though the ages have become part of larger software business process systems. This process virtualisation is often implemented for efficiency and expediency, the changes and errors that exist in any active business system can often become hidden, or masked. Almost every business process is monitored in terms of how well is it working, how often does it fail, and how can it be improved. The measurements and controls to do this are under the control of the business itself. Cyber threats though are often not even considered when such business processes are being drawn up, if considered at all they are often left up to IT to manage and to report on under IT risk and hence appear as an unwelcome surprise to business when they actually happen.
Before digitalization the owner or manager of a physical business never actually needed to know how to design a factory or build a warehouse. But they did know that there were good and bad business choices to be made in terms of design and location. Such decisions were readily delegated to people who knew about the business benefits of construction, skills to build, access to materials, power and water, and the cost of operations, security, and maintenance. As these are critical business decisions, not just in terms of cash flow and profitability, there are often severe penalties if regulations were broken, the owner or manager would always insist on approving them.
In a digitalised business every data collection, processing and manipulation that is required to be delivered by IT to produce value to a business has an equivalent cyber threat that can destroy that value and more. This cyber risk is of equivalence to every other risk that a business faces, and should be recognised and addressed as a business threat in the normal daily function and operation of a business.
In a new warehouse project a CEO would never accept the project viability risk assessment being signed off by the chief electrician alone, no matter how experienced they may be. But when launching a software based online store that signs up and collects customer data, processes sales, enables payments and delivers goods that might double a company’s sales, the web site may be approved by a senior graphics designer.
All software is prone to bugs, that is why code is tested all through development until ready for the application or web site to be launched. Once launched any internet facing software is automatically subject to continuous scanning and attack by potential cyber criminals. This requires that the business itself must be continually testing and fixing its own systems and assets for as long as they are needed, and disconnecting them whenever they are no longer needed. Such testing and repair does not happen for free, it is a cost of business that must have been factored in to the initial design and lifecycle costing.
Why do some organisations appear to be managing cyber crime, whilst others do not? Where cyber risk is managed alongside IT risk and the function of a software system is clearly defined and owned by the business function that will not only derive the benefit from its operation, but will be held accountable in case of any breach or failure, a more resilient and reliable system is built. Such systems do still suffer from cyber attacks, but the effect of the attack is rarely news worthy, or even reportable.
Where cyber risk is delegated entirely under IT Risk, or perhaps not even addressed as a business risk, the additional expense of secure design and continued secure operations and maintenance is often factored simply as additional, non-value generating cost. If normal IT systems struggle to remain functional and fight for maintenance budget every year it is unlikely that the secure design and security systems required for cyber risk management will be getting enough attention.
Wherever software is used to manage customer records, store personal identities and banking details, provide access to retail products, or simply enable social engagement and entertainment, its presence and use should not harm it’s users. Recent legislation in South Africa and around the world is passing that accountability back on to the owners of such systems, by allowing victims of cyber crime due to negligence of a provider to sue the provider, and in certain cases open the management of the provider to criminal liabilities if negligence is proven. This accountability is clearly a business risk.
As business continues to evolve and grow within the digital and our existence increasingly depends on reliable, resilient and provably secure business systems it has become obvious that Cyber Risk is a subject that needs to be taken seriously by every business itself and every user of such systems. Cyber security is too important to be delegated to the technical side of your business. Cyber risk is the responsibility of every business function that derives benefit from any and every software enabled function or service. It is up to you to make sure that the IT and technical specialists that design, build and maintain your systems know how to do so, and can keep doing so for as long as your business needs the service to exist.