Only one fifth of IT decision-makers in large multinational corporations are confident that their organisation is fully prepared against the threat posed by today’s cyber criminals. According to new research conducted by BT and KPMG, the majority of companies feel constrained by regulation, available resources and a dependence on third parties when responding to attacks.
Entitled ‘Taking the Offensive: Working Together to Disrupt Digital Crime’, the detailed report finds that, while 94% of IT decision-makers are aware criminal entrepreneurs are blackmailing and bribing employees to gain access to organisations, roughly half (47%) admit that they don’t have a strategy in place to prevent this situation.
The report also highlights that 97% of respondents experienced a cyber attack, with half of them reporting an increase in the last two years. At the same time, 91% of respondents believe they face obstacles in defending against digital attack, with many citing regulatory obstacles. In addition, 44% of interviewees are concerned about the dependence on third parties for aspects of their response.
Mark Hughes, CEO for Security at BT, said: “The industry is now in an arms race with professional criminal gangs and state entities who are sophisticated ‘tradecraft’. The 21st Century cyber criminal is a ruthless and efficient entrepreneur who’s supported by a highly developed and rapidly evolving black market.”
Hughes went on to state: “With cyber crime continuing to escalate, a new approach to digital risk is needed. That means putting yourself in the shoes of attackers. Businesses need to not only defend against cyber attacks, but also disrupt the criminal organisations that launch those attacks. They should certainly work closer together with law enforcement as well as partners in the cyber security marketplace.”
Paul Taylor, UK head of cyber security at KPMG, explained: “It’s time to think differently about cyber risk, ditching the talk of hackers and recognising that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources who are intent on fraud, extortion or theft of hard-won intellectual property.”
Taylor continued: “Talking generically about cyber risk doesn’t deliver insight. You need to think about credible attack scenarios against your business and consider how cyber security, fraud control and business resilience work together to prepare for, and then deal with those threats. If that’s done, then cyber security can become a mainstream corporate strategy as a vital component of doing business in the digital world.”
Chief Digital Risk Officers
The BT-KPMG report shows that Chief Digital Risk Officers (CDROs) are now being appointed to hold strategic roles which combine digital expertise with high-level management skills. With 26% of respondents confirming that a CDRO has already been appointed in their organisation, the report’s data suggests that the security role – and accountability for it – is now being re-examined.
Importantly, the research also flags the need for budgets to be adjusted, with 60% of decision-makers reporting that their organisation’s cyber security is currently financed by the central IT budget, while half of those (50%) think it should come from a separate security budget. One major challenge identified by the BT-KPMG study is the funding and scale of R&D spending that the criminals can bring to bear on breaching the defences of target companies.
The report extensively quotes a number of security directors of well-known global organisations and lists examples of the many forms of criminal attacks encountered by them, including various types of malware or phishing attacks. It also describes the business models favoured by the criminals and the black market behind them, whether they carry out high-end targeted assaults on the finance system or regular attacks on businesses/high net worth individuals (or even the ‘commoditised’ attacks affecting all of us).
The conclusions of the research point to the need to change mindsets and regard security not simply as a defence exercise. In fact, security is the enabler that facilitates digital innovation and, ultimately, drives profit.
BT and KPMG are now engaging with larger organisations around the world to debate the learning points of their joint research and advise on the changes that need to be undertaken.
*The findings and recommendations in the BT-KPMG report are drawn from interviews conducted in partnership with Vanson Bourne involving directors responsible for IT, resilience and business operations at major companies across the UK, the US, Singapore, India and Australia