The last five years have seen a huge sea change in the business world's approach to cybercrime, according to Dr Jamie Saunders, one of the key note speakers at Airmic's ERM Forum in November. And, having led the National Crime Agency's work on cybercrime until this year, he has had as good a view as any on the state of cyber resilience in this country.
"If you'd asked me five years ago, I'd have said businesses hardly take cyber security seriously at all," he says. "That's not the case now. Any reasonably sized company is concerned and giving it due attention."
His message for the business community, however, is that more attention should be put on proactively preventing the cyber risks occurring in the first place, rather than just focussing on incident response. He wants businesses to become part of the fight.
Businesses unaware of the intelligence at their disposal
Dr Jamie Saunders is Visiting Professor at the University College London's Department of Security and Crime Science. Until earlier this year he was a director at the National Crime Agency. Recruited in 2014 to lead the Agency's work on tackling cybercrime, his most recent appointment was as the NCA director of intelligence. He joined NCA after over 25 years in the public sector, in a variety of operational and policy roles. He was previously employed by GCHQ.
"Cyber risk is not like a weather event - there is agency. There are people involved actively pursuing this crime. We need to understand who they are, what they are planning, what we can do to be ahead of their next step. Many businesses have huge amounts of useful information at their fingertips, but they don't necessarily realise it."
By way of example, he explains that most organisations are constantly probed by cybercriminals. The majority of these attempts are blocked and then discarded, and in the process a whole raft of useful intelligence is thrown away.
Businesses are understandably anxious about sharing this sort of information for security, confidentiality and competitive reasons. Intelligence sharing is happening in a modest way, but Dr Saunders is pushing for a framework that will alleviate business concerns and make the practice more widespread.
Most attacks are preventable
Dr Saunders will be speaking at the ERM Forum on 7 November. He will be moderating a panel discussion investigating the lessons learnt from recent major cyber breaches. The ERM Forum is free to Airmic members.
But what of the sense that businesses, governments and cyber security professionals are always one step behind the cybercriminals, that we are fighting a losing battle? According to a recent survey by Lieberman software, 76% of organisations surveyed believe that cyber attacks are evolving too fast for their IT security personnel to keep pace.
This may be the perception, but it is absolutely not the reality, according to Dr Saunders. He believes that basic good practice can eliminate much of the problem; indeed, it is widely believed that 80% of attacks can be prevented.
"People view cyber criminals as homogenous, but in reality they are very different, with different levels of sophistication." The bulk of attacks are not hugely sophisticated, he says, and he uses the now notorious WannaCry attack in May as an example.
The vulnerability was identified and patched by Microsoft months before the attack, and so companies with well-organised IT security policies were generally unaffected, he explains: "It was organisations without the right procedures or with legacy issues that were hit. So you see this sort of event is not about being behind the criminals in terms of knowledge. It's about basic good practice."
He concedes there is a different level of cybercriminal who is hugely sophisticated and tough to defend against. However, "these cases are in the hundreds rather than the thousands".
"People think too much about the IT aspect"
Cyber risk should be viewed as a risk management issue, according to Dr Saunders, and not just left to the chief information and security officer (CISO). "It's about joining the risk up, so it's really important that risk managers are involved. If they don't know who their CISO is, then there's a problem."
He acknowledges that cyber risk can be daunting for the non-cyber specialist. His advice is view cyber risk through a different lens. "People think too much about the IT aspect and then get overwhelmed". Risk managers, he says, should think of it in terms of the data they are protecting, and then it is easier to approach it in a similar vein to any other risk.
"You need to know three things," he explains. "One - what is it that you care about; two - who is trying to attack it; and three - how are you defending it." It may be easier said than done, he says. But the point is, you shouldn't be scared of the process.
Dr Saunders will be speaking at the ERM Forum on 7 November. He will be moderating a panel discussion which will investigate the lessons learnt from recent major cyber breaches. The ERM Forum is free to Airmic members.