Legal week, share prices and cyber hygiene
In a recent Legal Week article the authors consider how Cyber Risk regulation is set to become tighter in the near future with a greater responsibility placed on organisations to have measures in place to secure data and protect processes. In the article it points to research in the US that indicates relatively high levels of torpor in organisations that really should know better.
In this research the point is made that despite the loss of data, the theft or hacks seem only to have a marginal effect on the share price in most incidents reported. This seems to me to be a curious correlation and suggests that the markets really don't understand what these data thefts may mean especially when the consequences go to the heart of the value of the business. It seems to me that companies are failing to consider how data theft may be impacting on their long term viability by having too short term a focus on the consequences of data loss.
Stolen data, especially that taken as part of a targeted attack, is being taken for a reason. Customer information, tender or commercial terms, product and technical data are all vital company assets that has cost a lot of money to develop. Failing to secure it tantamount to leaving the companies money on the doorstep. Companies need to rethink very carefully about how they value these assets and look at the options they have to protect them and investors should consider how lost IP may impact on the future value of the company.
Remember though most of the research data on the lax controls and scale of data theft comes from relatively informed and aware users. The situation in SME's is a lot worse and research is showing that attacks and theft are growing fastest in this sector.
Another important factor is level of data sharing going on today, nearly all business operates with at least some form of shared use and consequently, responsibility of data.
Over the coming months the work underway in the EU and US by government and regulators will start bringing in tighter controls, increasing pressure on companies and organisations to take cyber risk more seriously.
Will this work? I am not convinced... We have data protection law in place today and it doesn't seem to be too effective in creating the kind of security we need. What I feel would work is company boards and shareholders recognising that cyber threat goes to the core of their business and it's values. They are the ones who can change attitudes and cultures and drive change through their supply chains.
In a few months in the UK BIS will be announcing a new cyber hygiene profile that will set out the most basic measures organisations should have in place.
The 'profile' is derived from industry good practice and a series of consultations over the past year. It'll be a simple baseline of controls that all organisations really should have as a minimum. It will act as stimulus for many companies who will then hopefully realise that they'll need to go much further to gain real security. Already UK government is committed to applying these controls as a supplier criteri once published in the Spring.
This is a genuine 'win win' situation. Supplier and customer would both be more secure and a lot of basic risks mitigated and would be an excellent foundation to help start building real cyber resilience for us all, but it is only a starting point.