When you define your business aspirations – whether they are growth, technology innovation, shareholder returns or improving business reputation – cybersecurity should be an integral part of your considerations. In the digital age, it is crucial for businesses to effectively manage cybersecurity risks and embrace the opportunities that good cybersecurity unlocks. An integrated strategy that is embedded into governance and risk management processes can turn cybersecurity into a business enabler.
At first glance, it may seem all technical – antivirus, patching systems, firewalls and passwords – but without the support of your employees and external stakeholders, it simply won’t work properly. Cybersecurity is the responsibility of everyone within the organisation, not just the chief information officer or head of security.
There is much to be gained by working together as a community to pool intelligence, and share experience and best practice.
Ultimately, at the very top of a strategy lies accountability. Cybersecurity is about understanding the risks of doing business in the modern world; getting the trade-off right between managing cyber-risks and digital opportunity is a matter for the board’s strategic judgement, wherever the business is in its life cycle.
Risky business
As the economy becomes increasingly digital, so does crime. Businesses are being targeted through sophisticated means for many different reasons, from political espionage to financial gain, to the theft of sensitive intellectual property. Understanding the threat will allow those in the industry to take a proactive security stance that can frustrate and obstruct an attacker’s progress. A better assessment of the motivations and intentions of hacktivists, organised criminals, nation states and insiders can enable hoteliers to tailor and test their cybersecurity strategy. In this world of 24/7 media, decisions on how to respond to cyberattacks can escalate to the C-suite very quickly, and being part of those exercises is vital.
Only by really understanding the risks, embedding cybersecurity into the business, and recognising that people and security culture are every bit as important as technology can firms really get to grips with the threat and feel free to harness future business opportunities with confidence. Moreover, as organisations become increasingly aware of the value of cybersecurity, those who manage cyber-risks by implementing an effective and responsive cybersecurity strategy will be viewed as more attractive – and less risky – partners and suppliers. This, in turn, will help support revenue generation and profitability.
Recent security incidents have led to litigation, regulatory action, reputational damage and even resignations. Governments are increasingly turning to regulation to drive corporate behaviours in this area, often adopting very different approaches and seeking extraterritorial authorities. Overlaying this is the new EU data-protection regulation that came into force last year – a major pillar of which penalises businesses for information failures that result in customer data being compromised. There is too much at stake to leave things to chance.
The UK Government’s FTSE 350 Cyber Governance Health Check invites the country’s largest organisations to respond to a questionnaire that assesses and reports levels of cybersecurity awareness and preparedness. While boardroom awareness is increasing, with training and threat-intelligence briefings becoming more common, there is still more to be done to proactively manage cyber-risks as part of corporate planning.
Industry leaders need to work together; they depend on each other for products and services, but their connections to third-party suppliers must also be scrutinised to ensure that they are not the weak link in security defences. There is much to be gained by working together as a community to pool intelligence, and share experience and best practice – something that KPMG facilitates through its International Information Integrity Institute forum.
The company hopes that its positive approach will set organisations free to achieve and effectively negotiate the evolving cybersecurity landscape. It believes that cybersecurity should be about what you can do, not what you can’t.