There are quite a few words below that I hope you will read, but the gist of it is the smart companies take something that they “have to do”, that has a real cost, and use it as a value add to both suppliers and customers: they deliver something that their competitors don’t have. In a nutshell your current and potential customers and suppliers would rather work with a company they know won’t get taken out by a Cyber-attack and will be there to pay bills, deliver services and honour warranties off into the future, and that the data you hold about them is safe, and for your company, well it’s obvious, you want to have a company in the future! Companies need to be creative in how they position it for their industry and supply chain. There are several examples below of costs that many companies have had to take on that the smart money has turned into a commercial advantage. I hope you read on
Articles about Cyber Security start with a reference or two about the spectacular large breaches of Sony, ebay and the like; there is no value in repeating those as you already know the horror stories.
What is troubling is why many SME’s are not engaging with the reality of a Cyber threat and the risks to their businesses. Everyone is aware that there is a real and present danger out there, most don’t engage with that knowledge. It is generally understood that attacks fall broadly into a couple of categories: Opportunistic and Targeted.
There are orders of magnitude more of the former than the latter and as it’s a numbers game most of these fail thankfully i.e. if a quick poke doesn’t open the door then the poker moves on. However, whether you realise it or not you are being poked constantly and in new and creative ways as time passes, Darwinian processes are in play. Over time it is likely that one day a gap will be found in a company’s defences and then the infiltration begins. A simple way to prove to yourself that this is happening is to take advantage of a service many of the email providers give you, the ability to look back and see all the attempted logins to your account. For many if not most email accounts you will see attempted logins from around the world several times a month that clearly were not you! The more people and organisations that know your email address there are in general more attacks. Hopefully you will see they all fail for your account – if not you have a problem, and as a minimum should immediately change your passwords.
Very briefly on targeted attacks, these are harder to protect against as they are initiated by people that believe you have something they really want, and they will work hard to circumnavigate your defences. This is what happened in many of the larger breaches and if you believe you have some cool and unique IP then moving forward on Cyber Security is a priority today, right now!
So, why are SME’s often not moving forward with even rudimentary initiatives and why have they not added Cyber Security to their meeting agendas as a permeant item, including at the board level? There are lots of reasons, and they are the same as those for all the other things that fall into the do later category, and especially those that are seen as a cost with little to no benefit, although obviously, taking steps to prevent a Cyber Attack driving you out of business is a benefit. If that happens then there is no need to worry about revenue growth!
A couple of the procrastination reasons for many are not knowing what to do, and seeing it as a large cost that they choose to roll the dice on and postpone moving forward.
Most governments around the world recognise that the threat is real and that business is not responding fast enough and are trying to educate their communities about the risks and prod them into action. The UK government has gone so far as to publish a recommended minimum set of steps organisations should do to put a basic wall around themselves, this is called Cyber Essentials (CE). They have signalled how serious they are about this by making CE a prerequisite when bidding for government contacts that have a data content, and through their agencies grants are available to offset costs for all UK businesses to begin their Cyber journeys. So there are recommendations and there is money.
There are a number of analogous experiences from the past that we can draw on.
Probably one of the biggest is from the world of manufacturing when the major auto manufacturers started to demand higher quality, order quantity flexibility and delivery windows of a few tens of minutes from their supply chains. Some suppliers responded by holding large stocks, paying expensive delivery charges and 100% quality inspection on parts. These became expensive and intensive programmes for some trying to hold onto their customers.
Others looked to and learned lessons from Toyota who pioneered lean manufacturing (and pushed it down their supply chain) which delivered just the benefits being asked for and the process became business as usual so they could offer the same service to all their customers which put them in a different league to their competitors. There was a significant cost to implementing lean but it paid back rapidly from the increased business and interestingly through lowered operating costs. These days many of the top tier auto (and other OEM) manufacturers mandate that their supply chains adopt lean, and often invest in assisting them achieve it. I have lived through the lean experience several times. I won’t say it’s not sometimes painful, but I will say it is always beneficial.
Another example from the auto industry is their approach to legislation around safety and security for cars. The added engineering, product development and product costs were translated into market positioning for some manufacturers who led the scramble to claim to be to be the safest vehicles on the road, you all know the marketing campaigns. They could have just grudgingly accepted the costs and either accept slimmer margins or pass them on to their customers. Or, as some of them did they could compete through their marketing and sales channels to make car safety a key consideration in a buyers purchasing decision; it wasn’t a consideration before, but the brands educated the consumer to consider it. Smart!
Finally, the construction companies took on the health and safety, and noise abatement legislation, and turned it around so promotional materials around sites told of their successes to the public, and bids promoted how they are superior to their competitors. Nobody would now hire a construction company that does not have the necessary health and safety procedures in place.
In general many procurement policies now specifically cite compliance with legislation and risk mitigation practices as part of the process. It is starting to happen now for Cyber Risk but companies ahead of the curve promote this without being asked.
Going back to Cyber Security, all companies need to embrace the need to mitigate the risk as it’s only a matter of time before the breach happens. Even putting in place the minimum recommended protection makes a company less attractive to the opportunists than those that don’t. The smart companies will move forward quickly and work out how to use it as a business differentiator within their supply chains. The government is already starting to mandate it for their suppliers, large corporations will likely do the same as they are worried the supply chain will be interrupted or they may be breached through a hole in their suppliers systems.
Very quickly Cyber Risk mitigation will be business as usual, now is the time to get ahead of the curve. In order to do this all companies should be obtaining Cyber Essentials accreditation as a minimum. The last thing a company wants is to lose business when a potential large customer asks to see their Cyber risk policy and associated accreditations, alongside other contractual paperwork only to be presented with sharp intakes of breath and a few red faces.