KPMG have recently launched a ‘first of its kind’ cyber vulnerability index that demonstrates that financial services is far and away the worst information-leaking sector.
A massive 48% of information leakages from the 10 Forbes 2000 companies that offered cyber attackers the most opportunity came from organisations in the financial services (banking – 30%, diversified financials – 12% and insurance – 6%)1.
Once again the risk-based case is made for investing in cyber security.
However, this research joins a large body of case studies, publications, and media articles that focus on the risks businesses are running with regard to its information. By now most executives will be aware of the potentially large-scale impacts of poor cyber security. Yet many are still not investing to reduce the risk or change their corporate behaviours around information management. Why?
Is the evidence still not strong enough to overcome the ‘it won’t happen to me’ syndrome? Are the impacts being exaggerated and businesses aren’t feeling the pain of information loss? Or is it that in these tight economic times any “spare” money is not being invested in risk reduction initiatives that are traditionally viewed as largely a sunk cost and instead being invested in areas that offer a stronger return on investment?
Possibly all 3 but focussing on the latter, implementing cyber security should not be viewed as a sunk cost as the cyber capability you develop can provide a significant return on investment! This important area is rarely discussed in the plethora of media around cyber security with authors preferring to describe the latest juicy scare story.
Yes, there are people, organisations, States trying to get hold of your information. That isn’t going to stop. Yes, organisations are on the whole quite bad at looking after their information. That can change but scare stories don’t seem to be having the desired effect on the Board room to invest in cyber security (as desired by Governments ….. and security suppliers, of course!). So whilst I think it is a good piece of research, I am a little disappointed to see yet another report is focussed on the risk; the threat; and who is the worst at protecting their information.
We need more positivity around cyber security to make it more attractive to the Board room.
At the heart of cyber security is information. Whilst companies need to protect information they also need to exploit it. So why don’t more studies focus on who is the best at safely and securely exploiting their information? Why aren’t their more case studies circulating about companies who’ve successfully exploited information for substantial gain? Rather than talking about the negative side of cyber security, we, as an industry, should be talking about which companies are the most secure, the most resilient, and who has developed the most competitive advantage through safely exploiting their information? Companies who can deliver a return on investment from their cyber security and become a safe, sustainable business in this information age is, I believe, what investors and shareholders want to hear!
1 Publish and be Damned - Cyber Vulnerability Index 2012, KPMG