“Cyber-attacks cost companies more in terms of reputational than IT damage”

Source: De Tijd Connect

Not enough companies are sufficiently aware of the risks of hacking, or know how to prevent it to the greatest extent possible. A study conducted by KPMG revealed that 80% of the respondents’ systems were infected with malware and 60% even with crimeware. According to Professor Öykü Isik (Vlerick Business School) an approach that focuses exclusively on IT is simply not enough. “You need a corporate strategy for that! After all, your customers and your reputation are under threat!

KPMG recently conducted a special study among some twenty Belgian companies whose aim was to detect the presence of malware in their IT systems. The title of the study is ‘Unknown threats in Belgium’. The conclusions are astonishing, according to Benny Bogaerts, KPMG’s Director of Cyber Security & Privacy. “Eighty per cent of our respondents’ systems were infected with malware and sixty per cent even with crimeware. These organisations were convinced they had everything under control. Well, apparently, they didn’t.”

Weak Belgium

“The biggest challenge related to cyber security by far is ‘ransom ware’ or ‘ransom software", according to Professor Öykü Isik of Vlerick Business School, an authority in the field of cyber security. Ransom software blocks a computer, after which the user has to pay a ‘ransom’ to regain access to it. “This internationally widespread phenomenon is gaining more foothold in Belgium”, adds Professor Öykü Isik.

“These days, a strong reputation is more important than ever in the corporate world. However, once you have been hacked, your reputation will plummet.” Professor Öykü Isik (Vlerick)

Belgian cyber security achieved only a mediocre score in an international study conducted in 2014, while its neighbouring countries all ranked near the top. “Although Belgium has the necessary legislation, technical know-how and the organisations, we score poorly with regard to security capacity and collaboration”, explains Öykü Isik. “The failure to share knowledge within your organisation impedes progress. It would be helpful if security officials would share information and knowledge informally with one another.”

The number of cyber incidents is escalating rapidly, also via phishing. “Purchasing malware on the black market has become easier than ever. However, solutions that focus exclusively on IT will not bring any solace. Hackers are able to access systems more frequently than ever before via social media, by falsely taking on the identity of a staff member, for example. This is why you should not leave cyber security to IT specialists alone. You have to train everyone at your company in secure practices. Cyber security should be treated as living matter, and awareness of it should be engendered at every organisation. This way, no one will open an unusual message without thinking twice, even if the sender looks familiar.”

Killing for your reputation

IT should become a business partner in the digital transformation and therefore included in every corporate strategy, rather than a part of the problem or an expense. Professor Isik recommends that cyber security be considered and treated from a strategic viewpoint: “These days, a strong reputation is more important than ever in the corporate world. However, once you have been hacked, your reputation will plummet. Cyber-attacks cost companies more in terms of reputational than IT damage. A serious incident will easily cost as much as 5 million euros. And, on top of the direct costs, there is also the theft of intellectual property, reputational damage, commercial damage and possible lawsuits to be considered.”
Besides the negative effects on reputation and costs pointed out by Professor Öykü Isik, Benny Bogaerts also draws attention to the hidden costs involved in a data leak. “The infection can be so serious that you may need to install and configure a new server. There is a big chance you will need to engage an external response team to figure out what happened, what the consequences are and how the damage can be recovered. Damaged or unstable software will also need to be replaced. Organisations often do not have the resources for this. A data leak can even have an impact on the financial health of a company.”

“A serious incident can easily cost you several millions, including the direct costs, theft of intellectual property, reputational damage, commercial damage and possible lawsuits.” Benny Bogaerts Director of Cyber Security & Privacy (KPMG)

“A well-balanced approach combining prevention, detection and response offers the best protection”, claims Benny Bogaerts. “We are not monitoring our systems seriously enough to efficiently detect malware. Many Belgian organisations have not appointed a response team and if they have a response plan in place this is tested infrequently, if at all. Companies underestimate how easily malware can penetrate a system through conventional emails and social media. In fact, malware techniques have remained unchanged for decades. The first ransomware infection screen from 1989 is no different than one from 2016, analogically speaking. However, the digital platform of organisations has become so broad that attackers are able to enter it through all sorts of cracks and holes.”

According to Professor Öykü Isik, we should not forget the ethical dimension towards the consumer. “Companies are still strongly inclined to treat cyber security as exclusively an internal phenomenon. Your first priority, however, should be your customers and protecting their interests. Those companies that instil the greatest confidence also enjoy the best reputation. Millennials set great store by the ethical aspects of a company. A company must be able to demonstrate its reliability and treat everyone with respect. Young adults will notice whether or not you remain on top with regard to security issues.”

Include it in every design

Professor Isik recommends that you include your strategy for cyber security in your innovation policy. “Draw up a Cyber Response Plan that works preventively, and in which you pursue a policy of ‘privacy by design’ or ‘privacy by default’. This means that you take privacy protection measures into consideration in the development stage of your information systems. Designers start by making an analysis of the vulnerabilities identified by CIOs. This strategy will subsequently be based on this. Privacy by design incorporates all possible security into the initial information system design.”

“These organisations were convinced they had everything under control. Well, they didn’t.” Benny Bogaerts Director for Cyber Security & Privacy (KPMG)

Öykü Isik expects the European GDPR privacy directive to nudge organisations in the right direction. GDPR is an acronym for General Data Protection Regulation and serves to protect personal data. Although the regulation has officially been in force since in May 2016, organisations are given until 25 May 2018 to adapt their systems to it. “Actually, nobody is fully equipped to meet the GDPR requirements at present, and neither will they be by May 2018”, predicts the professor. “The rules are strict and complex. Organisations often need the approval of their customers, and every country will probably add its own provisions to the regulation. However, the implementation of GDPR will give rise to leading practices and increase cyber security.”
Benny Bogaerts agrees wholeheartedly with Professor Isik that cyber security should be a concern shared collectively throughout an organisation. “The advent of the European GDPR directive has provided a good impulse for tackling the issue at all levels, implementing it into business strategy and integrating it into systems design. This will help bridge the gap between IT and business strategy. Managing boards should back this approach wholeheartedly.”

Ecosystems and networks

“You should not leave cyber security to IT specialists alone. You have to train everyone at your company in secure practices.” Professor Öykü Isik (Vlerick)

Intellectually speaking, we are ready for this new approach. “According to a study in Forbes magazine, top managers no longer think in terms of solitary departments that must be screened off. The current focus is on protecting ecosystems and networks. Of course, the support of management boards is crucial. They should make a concerted effort to implement a policy aimed at prevention and develop an efficient strategy for coping with incidents. An Incident Response Plan identifies all the risks and the best way to respond to any problems”, concludes Öykü Isik. “After all, in the words of former FBI chief Robert Mueller: ‘In the end, there are only two sorts of companies; those that were hacked and those that will be hacked’.”