Isn’t it time we took cyber-security more seriously?

Date 13.11.2015

Dr Mils Hills, Associate Professor in Northampton Business School, shares his views on the recent headlines concerning cyber-security…

“The mainstream news has been full of cyber and technology related risk stories recently. From the alleged hacking of airliner control systems by a passenger, to that of car brakes, to the equating of missile threats with information security ones for new warships, assertions that a married dating site’s members privacy had been compromised, through to ‘Deal or No Deal’ host Noel Edmonds stating that the imaginary condition of ‘electro-smog’ is a bigger threat to humans than Ebola or Aids – businesses and consumers have a lot of concerns to face up to.

As ever, a cool head is needed in interpreting media excitement. The airliner’s control systems were not hacked at all (a joke Tweet went viral). The car hack was the result of months of sophisticated effort and easily countered by the manufacturer, warships will have counter-cyber capabilities as robust as those against air, surface and sub-surface threats (obviously). Many organisations have held personally identifiable data very insecurely, nothing new to see here. Electro-smog is absolutely not a risk unless you believe it to be.

What is true, though, is that cyber-security is a major headache for organisations. What is also evident is that cyber-security is a difficult problem to define. Most importantly, understanding and managing cyber-risks is far from being a purely (or even mainly) technological challenge. After my colleague Guy Batchelor and I gave a presentation to a KPMG organised forum on these issues in July, we were delighted to have a chat over lunch with a figure of global stature in the information security community. We were even more happy to hear this technologist state that cyber-security was about “people not boxes”.

This is so much the case that even where there is no actual threat (e.g. the non-hacked airliner or electro-smog), organisations have to respond to those who (want to?) believe that there is such a threat. Admittedly, there is a theoretical possibility that a specialised attack could compromise an airliner – but cold, hard analysis shows that this is extremely unlikely and that there are other much more likely cyber-challenges to aviation security. Whilst these concerns generate massive news interest and shape business leader and consumer perceptions of risk, ‘cyber’ as a corporate risk remains a slippery concept to get to grips with. Here are some ideas that may help a little.

Cyber-security management should, I believe, be about building, testing and maintaining organisational resilience to vulnerabilities (as well as those of upstream and downstream partners, stakeholders and wider perceptions). But ‘cyber’ risk is far more of a full-spectrum challenge to the private and public sector than usually envisaged. Of course, hacking, viruses, information security, wifi protection, database integrity, SCADA systems and the Internet of Things (to name but a few) need to be understood in terms of potential consequences, crisis management responses, media, market and stakeholder messaging implications and mitigation / pre-emption measures – ‘cyber’ should also be considered as a broader and deeper concept. The original meaning of ‘cyber’ was coined to refer to everything to do with computers and information technology. In my work at the UK national strategic level of government and in consulting to public and private sector boardrooms – I thought of ‘cyber’ threats to be the exploitation of any technology to influence a decision-maker, whether the influence was achieved by the loss of a critical system, compromise of the integrity of a database, injection of false information via an email or telephone call, created activist or consumer concern or even more exotic uses of information to achieve effects.

Therefore, cyber-security threats are no different to any of the other risks that an organisation faces – about which more can be found out, against which better situational awareness and rehearsed response capabilities can hone active counter-measures and reactive responses. Resilience is an emergent, immune property of a corporate structure which looks to be better defended, proactive in countering and making the best possible decisions no matter what the trigger. Business continuity, corporate security, crisis management and risk identification – these all need to serve the common goal of enabling the organisation to better understand the ecosystem in which it stands and the dynamic changes within it. Whether, on a particular day, a board member is accused of improper conduct (based on falsified electronic evidence); key data is corrupted; rumours swirl on the mass and social media about the integrity of a product; a virus prevents safe operation of automated plant… all of these and other scenarios need to be thought of as ‘cyber’, because computer-dependent technologies have featured as integral to the risk. The avoidance and effective countering of these risks involves a recognition that cyber-security is a socio-technical phenomenon. Risks may be more or less technical in delivery – but they depend on a fusion of people and technology. The precise blend of cocktail will vary – the need for an awesomely powerful ability to anticipate, avoid and perform under pressure is unwavering.

Of course, these suggestions run counter to the zeitgeist. Software and hardware providers want to sell technical solutions. Many academics and consultants earn a living from an artificially narrow or shallow definition of ‘cyber’. Empire-building managers generate cyber-security departments. But, as far back as 1996, the New York magazine is said to have warned that: “Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool — and therefore strange, spooky”. It is important to fight the drift towards making ‘cyber’ a technology-heavy concept, artificially delineating risks which transcend simplistic categorisation. Grasping and engaging with the challenges of socio-technical (genuinely cyber) security demands innovative, agile, adaptive, sensing and decisive action on the parts of organisations – the strictures of preparing for and performing under such pressure will certainly sort the sheep from goats. A competition which will play out in stock market, market and consumer confidence and other theatres.”