BT and KPMG warn businesses against “cyber security traps” in wake of WannaCry

In the wake of the recent high-profile WannaCry and Petya global ransomware attacks, BT and KPMG have published a new cyber security report offering practical advice to businesses of all sizes on how best to manage their security journey and turn it into a business opportunity.

The new report, entitled ‘The Cyber Security Journey: From Denial to Opportunity’, warns businesses against falling into dangerous traps as they deal with the complexity of securing a digital enterprise. These include being stuck in ‘Denial’ and ‘Worry’ phases at one end of the spectrum and ‘False Confidence’ and ‘Hard Lessons’ at the other.

While the report stresses that investment in technology such as firewalls and anti-virus protection is essential ‘good housekeeping’ practice at the start of the security journey, firms should avoid throwing money away on IT security products as a knee-jerk reaction. This is especially true for those companies who have matured from the stage of denial into the stage of constant worry, where investing in the latest technology can be viewed as the ‘silver bullet’ to mitigate the problem. This common mistake can make such firms a target, not just for cyber criminals, but also for over-zealous IT salespeople.

Businesses must first assess their current controls against Best Practice, such as the guidance issued by the National Cyber Security Centre, to help identify any gaps and prioritise essential areas in which to invest. Furthermore, everyone in the organisation, from the Board down, must take responsibility for maintaining high standards of cyber hygiene, while businesses must invest in training and raise awareness among staff. This can help to turn employees from the weakest point in any security chain into every company’s greatest asset in the fight to protect data.

Mark Hughes, CEO at BT Security, explained: “The global scale of the recent ransomware attacks showed the astonishing speed at which even the most unsophisticated of attacks can spread around the world. Many organisations could have avoided the aftermath of these episodes by maintaining better standards of cyber hygiene and making sure the basics are right. These global incidents remind us that every business today – from the smallest sole trader through to SMEs and large multinational corporations – needs to get to grips with managing the security of their IT estate, as well as their people and processes.”

Hughes added: “Our report aims to help secure the digital enterprise by navigating businesses through their cyber security journey. By sharing valuable insights from senior IT security leaders, we hope to help businesses of all sizes transform cyber security from being an operational risk into a business opportunity.”

Top of the business agenda

David Ferbrache, technical director in KPMG’s cyber security practice, said: “The recent spate of cyber attacks is keeping cyber risk at the top of the business agenda and, as such, investments are being made. The business community needs to avoid knee-jerk reactions as cyber security is a journey. It’s not a ‘one size fits all’ issue. Making sure that the basics like patching and back-ups are right matters. It’s important to build a security culture, raise awareness among members of staff and remember that security needs to enable business, not prevent it.”

In conclusion, Ferbrache stated: “Cyber threats are evolving and businesses face ruthless criminal entrepreneurs. The solution isn’t jargon-ridden technology ‘silver bullets’, but rather one that involves a community effort in a world where business boundaries are vanishing. With criminals becoming increasingly creative about finding the weakest link in the security chain, the CISOs of the future need to care about digital risk, help the business seize opportunities and build cyber resilience.”

Although cyber security issues are increasingly discussed at Board level today, the report claims that those discussions are too infrequent and treated as a separate and disconnected issue from broader operational risk. All-too-often, the issue of cyber security isn’t incorporated into the overarching business strategy.

The report also argues that overly complex IT architecture can worsen security gaps. This is especially the case if the technology deployed is too difficult to use or there’s a lack of integration.

In order to address these risks and gain true leadership in cyber security, the report calls on firms to focus on good governance processes and the proper integration of technologies and to consider outsourcing some less critical aspects of their security to a trusted partner. This, combined with the sharing of intelligence, good practice and hard-won lessons among a network of peers and beyond would put the company in a position to think about cyber security in a different way. Namely, not to see cyber as a risk which is discussed by the Board perhaps twice a year, but rather as a business opportunity and an enabler for digital transformation.

*Download the full report at:

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts