When we asked executives what would help their company be better prepared for a cyber incident, the top answer — set out in our new report — was the ability to know more about the threats to their business.
One of the obvious ways of doing this is to share knowledge and experience with industry peers and competitors. Information security professionals believe closer co-operation between companies is the only way to tackle the problem of cyber attackers. But in our survey, only 1 in 3 companies currently share information in this way.
Much of the hesitance here comes from the top of the corporate ladder, so how can information security professionals bridge this C-level gap?
Our research found that suffering a cyber incident works is an effective motivator for all sorts of action—from setting up formal incident response preparations to sharing information with other companies. But short of waiting for an attack to happen, here are a few other arguments to use in support of greater knowledge sharing:
Technology is making every company a target: Over three-quarters of companies have suffered some form of cyber incident in the last two years (see chart below). For the majority of this group, the number of incidents year-on-year is either steady or on the increase. Looking ahead, the collection of Big Data generated by the soon to be ubiquitous Internet of Things and stored in the Cloud will turn every company into an even bigger target. But this technology threat is not only limited to industries with data privacy concerns. In manufacturing, for instance, IT systems and technology have become so integral to the manufacturing process that system errors and outages can be as costly as a data breach.
Cyber criminals don’t run regional operations: North American companies lead the way on cyber incident response, not least because they are the most likely to experience a cyber-incident. Likewise they are the most likely to share information about cyber incidents with their peers (nearly twice as much as in western Europe). But cyber attackers don’t view the world in this way, so neither should European or Asian business leaders. Some already see the global picture. The media industry, for instance, is increasingly coming under attack, so the likes of the BBC, The Financial Times, The New York Times and The Economist are meeting regularly in London and New York. The main benefit of these knowledge-sharing forums, according to The Economist’s cyber security team, is the chance to swap experiences across the Atlantic.
Individual companies can take the lead: Last year the UK’s central bank led a cyber-attack scenario involving a rogue nation attempting to disrupt the financial sector. One of the main goals of this role-playing exercise, involving 14 major financial institutions, was to learn how banks would communicate in real time, sharing information and ultimately coordinating a response. Understandably, the authorities in the UK and the US are leading such initiatives in industries with systemic importance. Yet other industries need not wait in line. The CEO of Heartland Payment Systems, for instance, took it upon himself to set up an industry group to share information about cyber threats (albeit this was after a data breach at his company, leading to one of the largest data losses of all time).
Being a “cyber big brother” can be rewarding: Larger companies (US$500m+ in annual revenue) are much more likely to have an incident response plan in place than smaller firms. While the latter are catching up, fewer resources and less experience make them a target for cyber attackers, who spot a backdoor into the aforementioned larger organisations. It is, therefore, in the interests of large companies to share institutional knowledge and education across the supply chain, as a way of bringing the preparations of these “weak links” up to standard. After all, responding to an incident where company information has been compromised during an attack to a supplier is much more complicated than when it happens within the data owner’s own four walls (a point that is currently underappreciated by executives).
Effective knowledge-sharing starts at home: When it comes to sharing cyber knowledge, it is all well and good for a company to be an industry leader, but it will be all for nothing if its own employees know little about these cyber threats or their own responsibilities. Despite developments in automated detection, employees are still more likely to alert a company to an incident taking place. Added to this, our research shows that they are also the most common cause of an incident. While some companies are raising awareness among the workforce, warning employees to be alert to sketchy emails or equally fishy activity by fellow colleagues, any such activity will carry more weight if employees know more about the frequency of such attacks and appreciate the impact on the business.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the views of The Economist Intelligence Unit Limited (EIU) or any other member of The Economist Group. The Economist Group (including the EIU) cannot accept any responsibility or liability for reliance by any person on this article or any of the information, opinions or conclusions set out in the article.