Good Cyber is Good Business

In this white paper Cyber crime and espionage make headlines on almost a daily basis. This white paper from Thales UK asks whether there can be real P&L rewards for organisations that improve their cyber security. Can Good Cyber be Good Business? White Paper Good Cyber is Good Business The competitive advantage of cyber security Autumn 2013

Executive Summary Cyber security makes headlines on a daily basis. The threat posed by belligerent cyber actors is pervasive across the business landscape, from the very smallest to the largest organisations. More UK businesses than ever are facing the threat of losing confidential information through cyber attacks, according to recent researched backed by the UK Government The cyber security threat is global in reach, sophisticated in its execution, and operates on an industrial scale. It encompasses individual hackers, hacktavist pressure groups, industrial espionage, organised crime, and nation state actors, each posing a specific menace. More UK businesses than ever are facing the threat of losing confidential information through cyber attacks, according to recent researched backed by the UK Government. 1 The 2013 Information Security Breaches Survey found 93% of large businesses and 87% of small businesses experienced a cybersecurity breach within the last year. 2 The average cost of significant security breaches for small organisations was 35,000-65,000. For large organisations the equivalent cost was 450,000-850,000. Such attacks could prove catastrophic for the profitability, if not the viability, of a business. As a result of such reports, organisations are increasingly aware of the risk posed by cyber security. At a strategic level, they recognise the operational, financial, and reputation damage that can be caused by a significant cyber attack. Increasingly, they also understand the benefits of using third party expertise to assess their information risk, to audit their technical, operational and human vulnerabilities, and to help to reduce the risk of a significant cyber security breach. These cyber aware organisations increasingly understand that applying established standards, such as ISO27001, and guidelines, such as the SANS Critical Controls, as well as keeping up-to-date with developments such as the NIST Cyber Security Framework and UK s Cyber Security Maturity Model are some of the best techniques to identify and reduce their business risks. They know that, by using cyber security partners like Thales, best practice techniques will be applied by qualified security-cleared individuals (e.g. CLAS), and by teams that operate to independently verifiable standards (e.g. CREST). But even cyber-aware organisations can be unfamiliar as to how good cyber security can be good business. Concerns over risk and cost too often prevail over recognising how good cyber security can be a source of comparative advantage, a product differentiator, a brand asset, and a business opportunity. This approach requires bold and strategic thinking. This is how Thales sees cyber security. Thales shows it clients that, by taking a business benefits orientated approach, most organisations can articulate the positive financial impact of mitigating cyber risks, which in turn can empower business leaders to prioritise the benefits they wish to derive from good cyber security. 1. http://news.bis.gov.uk/press-releases/support-for-small-businesses-to-tackle-record-levels-of-cyber-attacks-68b5a.aspx 2. www.gov.uk/government/uploads/system/uploads/attachment_data/file/191670/bis-13-p184-2013-information-securitybreaches-survey-technical-report.pdf Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 2

By way of comparison, consider the evolution of Quality as a discipline. Historically, quality was considered as a necessary cost of doing business. Over time, however, the best run businesses have used a structured approach to quality to contribute to improved business performance. If good quality is good business, why should we not apply the same benefits approach and continuous improvement mentality to cyber security? Consider, for example, launching a new product in a safety critical industry. The product meets all of the necessary standards, but is also differentiated in the market by a level of built-in cyber assurance that is verified by a trusted third party. Consider the value of keeping your costs, negotiating margin, and price sensitivity secure, in advance of a major contract negotiation. Or consider the operational efficiency of remote, flexible working, or allowing employees to bring their own technology to work, or simply allowing the business to continue to use the internet in a flexible way, all whilst securely protecting key business information. A recent report found that more than half (58%) of European mid-sized firms say they would refuse to do business with a company that had suffered a data breach. 3 The same survey suggested that, even as European companies are experiencing a 50% per year increase in data breaches, their approach to information management is defined by confusion, inconsistency and double standards. This represents a clear opportunity to leverage competitive opportunity through cyber security. Let us remind ourselves of the size of the challenge. In 2011, UK organisations suffered some 44 million cyber attacks. The damage caused to UK businesses (e.g. in terms of IPR loss, operational outages, and direct financial theft) was at least 21bn, according to Government backed reports. 4 98% of these breaches involved external agents. As many successful attacks resulted from weaknesses in security culture and human failings, as from technology vulnerabilities. The cyber threat is here today, and the inadequate cyber defence posture of some organisations is already costing them dearly. As a result, the UK Government s Cyber Security Strategy, in place since 2011, is supported by 650 million of public investment to respond to what it has designated as a Tier One national security threat and improve the UK s cyber defences. But how should business respond? Good risk management requires a balance of understanding, investment and decision-making. Yet, as the cyber security threat rapidly evolves, it is often difficult for organisations to assess the extent to which they are vulnerable and what they should do to protect themselves. For business leaders focused on the implications of cyber risks on their bottom line, affordable cyber protection that is appropriate to the scale of their business and reflect the reality of the risks they face is essential. 3. http://ironmountain.co.uk/risk-management/ 4. http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 3

Accredited cyber security providers such as Thales are ready to help. Thales is a leading partner with Government as part of the Defence Cyber Protection Partnership (DCPP) to flow good practice into our supply chain. We are also supporters of the Government s Innovation Vouchers scheme to help SMEs boost their cyber security posture demonstrates a continued level of government commitment to investing in the principle that good cyber is good business. 5 Businesses should recognise that cyber security is not a product. It is not a firewall or a password. It is a journey and the attitude you take towards it. Recognise that good cyber can be good business. Start by understanding your vulnerabilities and how mitigating actions can help your business operational and financial performance. We can help you with this. Thales approach to cyber security enables business leaders and board level executives to prioritise improvements to their own cyber security, based on their risk appetite. Our approach puts boardrooms back in control of an arena typically seen as alien to the immediate business. This is a key shift: by articulating the financial benefits of addressing the cyber security risk, business leaders are able to take positive action, rather than focusing on the cost of addressing a theoretical risk. Thales is changing the conversation. We want to move on from recognise headline grabbing scare stories to talk about the material benefits of cyber security. In a world of sophisticated and pervasive cyber threats, managing your cyber security represents an opportunity to exploit a source of competitive advantage. Embracing good cyber security as a pillar of business as usual activity can be both a selling point to stakeholders and customers, and a way to reduce risk contingent reserves and insurance policies, directly improving your organisation s operational and financial performance. In a world of sophisticated and pervasive cyber threats, managing your cyber security represents an opportunity to exploit a source of competitive advantage With the right approach, focusing upon deriving the P&L benefits of mitigating cyber risks, aligned with appropriate technological responses and security architecture, business leaders can be empowered to prioritise the benefits they wish to derive from good cyber security and to manage the realisation of those benefits proving how good cyber security is also good business. 5. https://vouchers.innovateuk.org/cyber-security Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 4

Introduction Cyber security makes headlines on almost a daily basis - the threats and risks posed by espionage on a global scale, involving often state-sponsored, professional, highly focused and extremely adept belligerents. We read about the risks to even the mightiest nation states - their economies, critical assets, businesses both large and small, and their citizens; it seems that everyone is at risk and every day that passes the threats proliferate and the risks increase. The extent of what is going on is astonishing with industrial-scale processes involving many thousands of people lying behind both Statesponsored cyber espionage and organised crime The scale of the cyber threat was highlighted in June 2012 by Sir Jonathan Evans, MI5 s Director General, who commented: The extent of what is going on is astonishing with industrial-scale processes involving many thousands of people lying behind both State-sponsored cyber espionage and organised crime. 6 The popular focus on risk is both understandable and beneficial. Awareness of the threat is an essential first step. This white paper will begin, therefore, by discussing why cyber should be regarded as a business risk to reputation, operations and financial performance just as, for instance, people and processes commonly are. As a leading cyber security practitioner, Thales recognises that for business leaders focused on the implications of cyber risks and compliance on their bottom line, affordable cyber protection is essential. We also recognise that as the cyber threat rapidly evolves it is often difficult for organisations to assess whether they are vulnerable and what they should do to protect themselves. This is why Government, leading cyber security companies like Thales, and vulnerable organisations must come together to build the awareness, support and capability required to protect UK Plc. This white paper will discuss how and where this is happening. It will examine the support schemes and services available to SMEs and large companies alike from Government and cyber security companies, what they should look for from these, and how your organisation can maximise its benefit from these. What is less discussed, however, is whether cyber security can be a net contributor to a company s P&L. This paper will examine how far we can question the assumption cyber security is just an insurance cost and instead ask: can cyber security be a source of competitive advantage? Can Good Cyber be Good Business? 6. https://www.mi5.gov.uk/home/about-us/who-we-are/staff-and-management/director-general/speeches-by-the-director-general/ the-olympics-and-beyond.html#cyber Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 5

Why cyber security matters to you Cyber-security is a business risk and should be treated accordingly. Ask yourself, would you employ someone without interviewing him or her? Would you allow anyone off the street access to your business premises? Yet you are probably introducing technology into your organisation every week. Moreover, you are likely to be linking this technology to networks holding business critical information. You may be doing this in a world in which data is the new IP, brand reputation is a Tweet away from nil, and trust in your supply chain is paramount. The fallout from Sony s Playstation network being hacked, compromising the personal information of millions of users, is a case in point. Compelled to issue a public apology to anxious customers, hauled before the US Congress, and fined by UK regulators to the tune of 250,000, this example illustrates how damaging on a global scale the publicity from a successful cyber attack is. 7 All this from an attack which the UK Information Commissioners Office (ICO) duly judged to be preventable. 8 Risk is typically acknowledged to be a balance of understanding, investment and decision making this too is what good cyber security is all about. In today s business landscape, the protection of information assets is a key element in the long term competitiveness and survival of commercial organisations. In an environment where the survival of individual organisations is, at least, partially dependent on the security of critical national infrastructure or a supplier s intellectual property, all organisations must contribute to improved cyber security. With the internet becoming the mainstream communication and application platform, the greatest risk to your business is cyber risk, whether you realise it or not. If you have not studied cyber security, here it is in a nutshell: Cyber security is the act of protecting computer systems and data against loss, manipulation, damage and theft from malicious sources. This is achieved through hardening systems, applications and people against threats and ensuring processes apply these defences rigorously. There is no winning in this type of war, as the enemy is never-ending, constantly evolving and growing in number. It is simply a survive or lose scenario. For your side to survive, partners and clients alike need to trust your integrity and ability to deliver on promises, particularly regarding their security. In this battlefield, popular perceptions and rumour are more influential than the facts. If you are perceived to be insecure, you will lose business. 7. http://news.sky.com/story/1042250/sony-fined-over-playstation-hack-attack; http://www.t3.com/news/sony-apologise-forcyber-hack-and-warn-of-hit-on-profits 8. http://www.bitdefender.co.uk/security/sony-to-pay-%c2%a3250-000-fine-for-preventable-playstation-hack.html Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 6

A June 2013 report from the consultancy PriceWaterhouseCoopers and Iron Mountain, a storage and information management company, found that more than half (58%) of European mid-sized firms say they would refuse to do business with a company that had suffered a data breach. 9 With this in mind, you may be asking yourself the following questions: Surely our IT department has dealt with this? In truth, probably not and neither is it wholly their responsibility. Cyber security is a complex problem space with its own expert disciplines, both human and technological, that affect the safety of information and systems from various adversaries looking to steal, corrupt, damage, destroy or deny access to it. Can I afford to wait? Certainly not. Currently it is far more likely that an organisation has more people trying to penetrate its systems than it has people trying to prevent those intrusions. It may already be unknowingly compromised. Is the risk real? Yes. Public or private, big or small - if an organisation has something an attacker wants, they will target it. Furthermore, if an organisation, however small or remote, has affiliations to other interesting companies, countries or clients, it may be targeted to gain access to them via its networks and vice versa. Remember not all cyber attacks are aggressive in nature; some attackers lurk silently within an organisations networks, slowly and methodically siphoning valuable information and digging deeper, sometimes over the course of years. A Growing Risk More businesses than ever are facing the threat of losing confidential information through cyber attacks, according to research published in April 2013 by the Department for Business, Innovation and Skills (BIS) in conjunction with PwC and Infosecurity Europe. 10 The 2013 Information Security Breaches Survey showed that 93% of large businesses and 87% of small businesses across all sectors experienced a cyber security breach within the last year. This increase of over 10% has cost affected small businesses up to 6% of their turnover, when they could protect themselves for far less. The average cost of the worst security breach for small organisations was 35,000 to 65,000 and for large organisations was between 450,000 and 850,000. The vast majority of these were through cyber attack by an unauthorised outsider. 11 9. http://ironmountain.co.uk/risk-management/ 10. http://news.bis.gov.uk/press-releases/support-for-small-businesses-to-tackle-record-levels-of-cyber-attacks-68b5a.aspx 11. www.gov.uk/government/uploads/system/uploads/attachment_data/file/191670/bis-13-p184-2013-information-securitybreaches-survey-technical-report.pdf Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 7

The survey also showed that: The median number of breaches suffered was 113 for a large organisation (up from 71 a year ago) and 17 for a small business (up from 11 a year ago), meaning that affected companies experienced roughly 50% more breaches than on average a year ago Several individual breaches cost more than 1 million 78% of large organisations were attacked by an unauthorised outsider (up from 73% a year ago) and 63% of small businesses (up from 41% a year ago) 81% of respondents reported that their senior management place a high or very high priority on security, however many businesses leaders have not been able to translate expenditure in to effective security defences 84% of large businesses report staff-related cyber breaches (the highest figure ever recorded) and 57% of small businesses (up from 48% a year ago) 12% of the worst security breaches were partly caused by senior management giving insufficient priority to security According to Government Communications Headquarters (GCHQ), it is estimated that 80% or more of currently successful attacks can be prevented by simple best practice. This could be steps as straightforward as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted. 12 The Department for Business, Innovation & Skills (DBIS) has reported the example of a small London insurer, whose management team did not focus enough on security at their service provider, leading to a substantial data security breach. Information, such as announcements and business development reports, which they believed could only be accessed internally were actually being indexed by web crawlers and being made available in search rankings. It took nearly a month to detect the problem, and then systems had to be taken offline for a week to fix it. The report also cited a mid-sized energy company that suffered disk corruption in their storage area network. Unfortunately, it hadn t been designed with sufficient redundancy in place. As a result, it took nearly a month to restore service to business as usual, after several man-weeks of effort and tens of thousands of pounds spent. Following reports in the media of similar attacks, a large technology company discovered that hackers had accessed their website through a known vulnerability. The attack specifically targeted the organisation and was facilitated by the lack of priority placed on security. The company suffered significant adverse media coverage after taking a month to restore business as usual. 13 The cyber threat is real: there is a growing risk of disruption, information loss, reputational damage and material cost to your company s P&L. 12. http://news.bis.gov.uk/press-releases/support-for-small-businesses-to-tackle-record-levels-of-cyber-attacks-68b5a.aspx 13. Ibid Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 8

Awareness comes first The 2013 Information Risk Maturity Index, collated by PwC and Iron Mountain, suggests that, even as European companies are experiencing a 50% per year increase in data breaches, their approach to information management is defined by confusion, inconsistency and double standards. 14 The study found that, while 68% of companies recognise that a responsible attitude to information is critical to business success, 47% say their Board does not see data protection as a major issue and 43% say their employees hold the same view. This is not surprising when 26% of boards have not been briefed on any security risks in the last year, with 19% never having being briefed. But it is remarkably when a survey of US investors showed 70% are interested in reviewing public company cyber security practices, and almost 80% would not likely consider investing in a company with a history of breaches. 15 Still, some 42% of large firms do not provide any form of ongoing security awareness training. 16 This despite the National Fraud Authority claiming even minor changes to how people use the Internet, such as better password security, could prevent significant numbers of cyber security breaches. The UK Government recognises that this lack of awareness of the growing cyber threat is a major problem, and is working across Government departments and industry to flow awareness down and across the UK economy and populace. The Government s Cyber Security Strategy, in place since 2011, sets the four strategic aims of: Making the UK one of the most secure places in the world to do business in cyberspace and promote the national Prosperity Agenda Making the UK more resilient to cyber attack and better able to protect our interests in cyberspace Helping shape an open, vibrant and stable cyberspace that supports open societies Building the UK s cyber security knowledge, skills and capability. To help meet the objectives of the strategy, the Government has put in place a National Cyber Security Programme backed up by 650 million of Government investment over 4 years. Following on from the 10 Steps to Cyber Security guidance released in September 2012, which was aimed at larger businesses, in June 2013 the UK government announced a new campaign worth 4 million with the aim of increasing awareness of cyber security amongst consumers and small businesses. 17 14. http://ironmountain.co.uk/risk-management/ 15. http://www.itgovernance.co.uk/media/press-releases/it%e2%80%99s-official-investors-care-about-information-sec.aspx 16. http://www.pwc.co.uk/audit-assurance/publications/2013-information-security-breaches-survey.jhtml 17. http://www.itproportal.com/2013/06/21/uk-launches-4-million-campaign-cyber-security-awareness/#ixzz2x854yd9i Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 9

James Brokenshire MP, Minister for Security, gave the Home Office campaign the go-ahead as part of the government s National Cyber Security Programme. The aim is to educate people about how to protect themselves from the growing cyber threat. The pan-government campaign will be run with the help of the Cabinet Office, Department of Business, Innovation and Skills, and business industry specialists such as Get Safe Online. We know that cyber attacks are happening on an industrial scale and businesses are by far the biggest victims of cyber crime in terms of industrial espionage and intellectual property theft with losses to the UK economy running into the billions of pounds annually - Francis Maude, Cabinet Office Minister The digitisation of the UK economy has made our lives easier and has created huge opportunities, but it has also created individual security risks as well. If we are to meet these new challenges it s essential we step up our efforts to stay safe online, said Brokenshire. The threat of cyber crime is real and the criminals involved are organised and driven by profit. By making small changes British businesses can remain competitive in the global economy and consumers can have greater confidence using the internet. The new cyber security awareness campaign will commence in Autumn 2013. Government-Industry Partnership The UK Government has assessed the Cyber threat to British industry as a Tier One national security threat. This is based on both the huge cost to UK business and the threat to Ministry of Defence intellectual property held by industry, which has been subject to systemic espionage attack. This is has led the Government to cooperate with industry in the creation of the Defence Cyber Protection Partnership (DCPP), mandated by the Secretary of State for Defence and the Defence Supplier s Forum. This is a Government-industry partnership focused on improving cyber security in the Defence sector and its supply chain. It will do this through the following means: Setting standards and measurements Improving and increasing cyber security skills Information sharing on attacks and threats Supply chain communication and awareness It includes the UK s prime defence suppliers: BAE, BT, CGI/Logica, EADS, HP, Lockheed Martin, Rolls Royce, Selec-ES, and Thales. Thales is central player in the DCPP, leading the key activity stream of developing the Standards and Measurement framework to support and flow cyber security maturity through the MoD s supply chain. Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 10

This unprecedented Government-Industry cooperation goes beyond the Defence sector. In March 2013, the Government launched a new partnership between government and industry to share information and intelligence on cyber security threats. The Cyber Security Information Sharing Partnership (CISP) is part of the UK s cyber security strategy, established to help make UK businesses more secure in cyberspace. 18 Thales has been a prime mover in the creation of this partnership, which is being supported by the Security Service, GCHQ and the National Crime Agency. These organisations will work with industry analysts to produce and disseminate information on cyber threats facing the UK. It complements the work being carried out by the National Cyber Crime Unit, which tackles the most serious, organised and complex forms of cyber crime. 19 Cyber security is an increasing risk for small micro businesses and more and more, a barrier to growth... Information security should be part and parcel of good business pratice - Mike Cherry, National Policy Chairman at the Federation of Small Businesses The partnership includes the introduction of a secure virtual collaboration environment where government and industry partners can exchange information on threats and vulnerabilities in real time. The Cyber Security Information Sharing Partnership will be complemented by a Fusion Cell which will be supported on the government side by the Security Service, GCHQ and the National Crime Agency, and by industry analysts from a variety of sectors. They will work together to produce an enhanced picture of cyber threats facing the UK for the benefit of all partners. 20 If you would like to find out more about the CISP or if you are interested in applying to join, please contact info@cisp.org.uk. Help is out there: Cyber Security grants for SMEs With many SMEs now primary targets for cyber attacks, the UK Government s Department for Business, Innovation and Skills (DBIS) announced in April 2013 that it would make available half a million pounds of funding to aid SMEs in developing their cyber security posture. Following an initial run until July 2013, the scheme has been re-opened and extended until October 2013, such was the positive uptake. The Innovation Voucher scheme represents an excellent, possibly unique opportunity for SMEs to assess their current IT operations and infrastructure, procure government-grade security and network architecture review services, and through implementation support. SMEs can apply for up to 5,000 in the form on an Innovation Voucher, which they may use to contract external cyber security companies and consultants to help them increase their cyber security awareness and defence systems. This could include, for example, vulnerability assessments and penetration tests. 18. https://www.gov.uk/government/news/government-launches-information-sharing-partnership-on-cyber-security 19. https://www.mi5.gov.uk/home/news/news-by-category/government/cyber-security-partnership-announced.html 20. https://www.gov.uk/government/news/government-launches-information-sharing-partnership-on-cyber-security Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 11

The 5,000 vouchers, distributed by the Technology Strategy Board, are only available to small and medium enterprises that do not have internal cyber security expertise, and must spend the grant through a new external supplier. David Willetts, Minister for Universities and Science said: Keeping electronic information safe and secure is vital to a business s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents. The package of support we are announcing today will help small businesses protect valuable assets like financial information, websites, equipment, software and intellectual property, driving growth and keeping UK businesses ahead in the global race. Innovation Vouchers for cyber security can be used to secure specialist consulting and services to help: Businesses looking to protect new inventions and business processes Businesses looking to cyber audit their existing processes Businesses looking to move online and develop a technology strategy Business start-ups looking to develop an idea into a working prototype and needing to build cyber security into the business from the very beginning For example, this could include looking at: Bring your own device (BYOD) Integration of Cloud Environments WAN remote access (integration of multi-sites) Mobile workers Collaborative services Social media integration Prior to implementing change to any company s IT operations it is important to understand its cyber security posture and the potential impact on the company s overall cyber security, especially as the majority of innovation now includes an element of cyber integration. This is where the Innovation Vouchers should be put to use. Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 12

We recognise that it is difficult for SMEs with little or no experience of cyber security to know what to expect from their voucher or any investment in cyber security. Thales therefore recommends SMEs to look for introductory readiness reviews, including services such as: - Vulnerability Assessment - Security Architecture Review This type of service is intended to provide the cyber security expertise necessary to ensure that the implementation of the innovative changes by the SME improve the overall cyber security posture of the organisation. We advise SMEs to take a multiphase approach to maximise their Innovation Vouchers: 1. Initial engagement What is the security posture of the SME? Will your existing architecture support the proposed change? What are the potential difficulties of the proposed change? 2. Implementation Consultancy through implementation/integration of change Post-implementation Cyber security isn t a one-off event Through-life and on-going support/analysis to Cyber Security Activities For their 5,000 voucher, or any other initial investment in their cyber defences, SMEs should expect to receive the services of an accredited cyber security consultant. Typically, the consultant will deliver vulnerability assessment and architecture review reports to identify the greatest cyber security risks that could prevent the implementation of business change, providing clear description of those issues, their potential impact and how they can be resolved and/or prevented. To find out more about the Cyber Security Innovation Voucher scheme visit www.vouchers.innovateuk.org/cyber-security. Good cyber, good business? For some forty years, Thales has been providing Information Assurance services to public and private sector customers, including government, critical national infrastructure operators, enterprise, and military. We are therefore long accustomed to thinking in terms of threats and risks, and their proliferation. However, we have also seen that as the problem space has evolved, so have the business opportunities to practitioners of good cyber security. Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 13

There is a danger of seeing cyber security solely through a cost lens. But there is an alternative view, with precedent, which suggests that with the right focus and motivation, implementing good cyber security can be good business. The precedent is in Quality disciplines in engineering and manufacturing where Good Quality in Good Business. Historically, Quality was considered a cost of going business, whereas over time it has come to be acknowledged to be both a differentiator and contributor to positive P&L impact. But with cyber we do not have the luxury of the 15-20 year journey that British industry embarked upon in the case of Quality. Let us remind ourselves of the size of the challenge. In 2011, UK organisations suffered some 44 million cyber attacks. The damage caused to UK businesses (e.g. in terms of IPR loss, operational outages, and direct financial theft) was at least 21bn, according to Government backed reports. 21 98% of these breaches involved external agents. As many successful attacks resulted from weaknesses in security culture and human failings, as from technology vulnerabilities. The cyber threat is here today, and the inadequate cyber defence posture of some organisations is already costing them dearly. In the face of this growing threat, the UK Government has put in place a Cyber Security Strategy, supported by 650 million of public investment to respond to what it has designated as a Tier One national security threat and improve the UK s cyber defences. But how should business respond? As a result of such reports, organisations are increasingly aware of the risk posed by cyber security. At a strategic level, they recognise the operational, financial, and reputation damage that can be caused by a significant cyber attack. Increasingly, they also understand the benefits of using third party expertise to assess their information risk, to audit their technical, operational and human vulnerabilities, and to help to reduce the risk of a significant cyber security breach. These cyber aware organisations increasingly understand that applying established standards, such as ISO27001, and guidelines, such as the SANS Critical Controls, as well as keeping up-to-date with developments such as the NIST Cyber Security Framework and UK s Cyber Security Maturity Model are some of the best techniques to identify and reduce their business risks. They know that, by using cyber security partners like Thales, best practice techniques will be applied by qualified security-cleared individuals (e.g. CLAS), and by teams that operate to independently verifiable standards (e.g. CREST). But even cyber-aware organisations can be unfamiliar as to how good cyber security can be good business. Concerns over risk and cost too often prevail over recognising how good cyber security can be a source of comparative advantage, a product differentiator, a brand asset, and a business opportunity. This approach requires bold and strategic thinking. This is how Thales sees cyber security. Thales shows our clients that, by taking a business benefits orientated approach, most organisations can articulate the positive financial impact of mitigating cyber risks, which in turn can empower business leaders to prioritise the benefits they wish to derive from good cyber security. 21. http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 14

But what does good cyber security look like? First and foremost it is an understanding of nature of the cyber security: that the constantly evolving threat environment is such that you can soon fall behind the curve and are no longer secure. That is not a firewall or password or any other product. Cyber security is a journey. It is about first understanding your vulnerabilities, then putting in place the technologies and security architecture, practices, policies, and training to support the constant monitoring and mitigation of risks to your people, processes, and information from cyber attacks. Thales can help you this. Good cyber security is also about the attitude you take towards it. It is about understanding that there are financial and operational benefits to be had from strategic investments in your cyber defences. There remains a gulf between an intellectual recognition of cyber as a problem and an instinctive sense for most business leaders that it is somebody else s problem. How do we bridge this gulf? The answer is by moving the conversation away from headline grabbing scare stories to talk about the material benefits of cyber security. In a world of sophisticated and pervasive cyber threats, managing your cyber security represents an opportunity to exploit a source of competitive advantage. Embracing good cyber security as a pillar of business as usual activity can be both a selling point to stakeholders and customers, and a way to reduce risk contingent reserves and insurance policies, directly improving your organisation s operational and financial performance. Embracing good cyber security as a pillar of business as usual activity can be a selling point when talking to customers, suppliers, and shareholders. Trust is the cornerstone of any client/customer relationship. Demonstrating responsibility by protecting your all important people, places and information bolsters this trust with a resultant positive effect on revenue. Consider, for example, launching a new product in a safety critical industry. The product meets all of the necessary standards, but is also differentiated in the market by a level of built-in cyber assurance that is verified by a trusted third party. Consider the value of keeping your costs, negotiating margin and price sensitivity secure, in advance of a major contract negotiation. Indeed, a recent report from Iron Mountain, a storage and information management company, and PwC found that more than half (58%) of European mid-sized firms say they would refuse to do business with a company that had suffered a data breach. It also suggested that, even as European companies are experiencing a 50% per year increase in data breaches, their approach to information management is defined by confusion, inconsistency and double standards. 22 This represents a clear opportunity to leverage competitive opportunity through cyber security. 22. http://ironmountain.co.uk/risk-management/ Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 15

Or consider the operational efficiency of remote, flexible working, or allowing employees to bring their own technology to work, or simply allowing the business to continue to use the internet in a flexible way, all whilst securely protecting key business information. Good risk management requires a balance of understanding, investment, and decision-making. Yet, as the cyber security threat rapidly evolves, it is often difficult for organisations to assess the extent to which they are vulnerable and what they should do to protect themselves. For business leaders focused on the implications of cyber risks on their bottom line, affordable cyber protection that is appropriate to the scale of their business and reflect the reality of the risks they face is essential. Accredited cyber security providers such as Thales are ready to help. Thales is a leading partner with Government as part of the Defence Cyber Protection Partnership (DCPP) to flow good practice into our supply chain. We are also supporters of the Government s Innovation Vouchers scheme to help SMEs boost their cyber security posture demonstrates a continued level of government commitment to investing in the principle that good cyber is good business. 23 Unlocking the potential of cyber security requires both an appropriate approach and offering. Many cyber-security companies offer a consultancy approach to assess cyber-security risk. Cyber security companies traditionally assess the potential business costs of cyber attacks, and to apportion value to the benefit of cyber defence. The security response must be appropriate to the organisations needs in terms of affordability and rigour. We recognise that every organisation is at a different stage of maturity in managing their cyber security risk. To reflect this, Thales offers a modular approach that enables customers to have access to a comprehensive cyber assurance service, while only paying for those components that are pertinent to their business. Typically, a starting point on a customer s journey to cyber protection (and accreditation if required) will be a Vulnerability Assessment and/or Penetration Test, which identifies critical information in the business, how they could be exploited, and suggest actions for mitigating these risks. Next steps could be comprehensive, holistic security assessments, taking into account physical security. After all, your business could have the highest spec network security, only to allow an external agent to walk freely into the premises and pull the plug. Your business may also need to comply with certain standards, such as future UK Ministry of Defence cyber security requirements for companies in its supply chain. Third party consultants can help you understand your security requirements and the most appropriate and commercially effective way for you to meet these. In addition, business leaders should look for cyber security practitioners focused on explaining and realising material P&L benefits and shareholder value for their organisation, underpinned by the necessary blend of expertise and capability. 23. https://vouchers.innovateuk.org/cyber-security Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 16

Thales approach to cyber security enables business leaders and board level executives to prioritise improvements to their own cyber security, based on their risk appetite. Our approach puts boardrooms back in control of an arena typically seen as alien to the immediate business. This is a key shift: by articulating the financial benefits of addressing the cyber security risk, business leaders are able to take positive action, rather than focusing on the cost of addressing a theoretical risk. With the right approach, focusing upon deriving the P&L benefits of mitigating cyber risks, aligned with appropriate technological responses and security architecture, business leaders can be empowered to prioritise the benefits they wish to derive from good cyber security and to manage the realisation of those benefits proving how good cyber security is also good business. Cyber standards and measurement Faced with such a critical issue as defining critical information within a business and exploring security vulnerabilities, organisations need to ask carefully which suppliers can one trust and how can one differentiate suppliers who have market leading Cyber Security capabilities? How can we be sure that the recommended Cyber Security practices are up there with the best? A starting point is to choose an organisation familiar with sector-wide evaluations against a framework which clearly articulates what good cyber security looks like, is based on a continuous assessment of recognised best of breed standards, advice and guidance and takes sector-specific regulations into account. Thales sees the concept of cyber security maturity as the best solution. This means organisational maturity against a framework must be evaluated in a consistent manner and demands for an organisation s attainment of minimum maturity levels should be considered as a routine risk-assessed requirement for all new supplier engagements. In order to ensure proportionality and avoid simplistic, compliance-driven decisions, all cyber-related investments should be based on a firm understanding of business benefit and risk to all stakeholders, including suppliers and customers. This approach requires a holistic approach. For example, in order to ask suppliers to meet or exceed a level of maturity based on a burden of expectation, the commissioner of services must itself have reached a level of maturity in understanding such that cyber security risks are managed alongside all other risks, opportunities and business objectives. This approach requires a cyber security framework, which: 1. Builds on existing standards, guidance and regulations 2. Provides clear expressions of what good cyber security looks like 3. Provides an organisational basis for cyber security maturity 4. Recognises differing expectations for different industry sectors Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 17

5. Enables the specification of a risk-assessed, burden of expectation 6. Ensures that compliance levels are assessed uniformly 7. Ensures that cyber security is driven by business benefits Fortunately, this shift of emphasis is reinforced by significant developments in the Government arena related to cyber standards and measurement. The UK Ministry of Defence is working with their supply chain in a joint MoD-industry project known as the Defence Cyber Protection Partnership (DCPP). Thales, on behalf of industry and the MoD, is leading the development of a standards and measurement framework that will give clear guidance on levels of cyber defence expected of suppliers. It will allow organisations to compare and contrast their own compliance regimes with those required in the MoD Supply Chain. Providing such a standards framework allows for the broader business community to develop expectations of behaviours from their peers. This is the cyber equivalent of social pressure to wear a seat belt, or not to drink and drive. In some respects, it is pushing against an open door. A recent report from Iron Mountain, a storage and information management company, and PwC found that more than half (58%) of European mid-sized firms say they would refuse to do business with a company that had suffered a data breach. 24 Organisational maturity in cyber security can be the basis for driving progress in the defence posture of UK Plc. It will provide a considered mechanism to allow boards to make sensible, informed assessments of the balance of risk and affordability of mitigating those risks. It will help companies included in its remit unlock the financial and operation benefits of Good Cyber. A call to action Our experience has shown us that doing nothing is not an option. Cyber security companies are here to help you equip your organisation to meet the cyber threat at a cost and rigour appropriate to your organisation. The constantly evolving threat environment is such that you can soon fall behind the curve and are no longer secure. Cyber-security is a journey. Thales recommends you begin by understanding what actually needs to be protected, understanding your particular threats and understanding your vulnerabilities. Start by contacting an accredited cyber security provider to review your options. 24. http://ironmountain.co.uk/risk-management/ Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 18

About Thales Whenever critical decisions need to be made, Thales has a role to play. World-class technologies and the combined expertise of 65,000 employees in 56 locally based country operations make Thales a key player in assuring the security of citizens, infrastructure and nations in all the markets we serve aerospace, space, ground transportation, security and defence. Thales is a leading supplier of security technologies to secure your people, places and information. For more than 40 years, Thales has delivered state of the art physical and cyber security solutions to commercial, critical national infrastructure, government and military customers. In all, Thales delivers cyber security projects across 50 countries, with a global network of 1,500 information security specialists working with SME and research partners that provides it with deep expertise and the agility to deliver industryleading solutions across the complete cyber spectrum. Thales believes that Good Cyber is Good Business. Thales will help you refocus your security spend to defend your organisation and prevent significant loss of revenue and reputation. Thales will ensure your competitive advantage is maintained by being able to demonstrate resilient and secure use of cyberspace. Why Thales? Thales is a world leader in providing modular, integrated cyber security solutions to protect your people, places and information: Cyber incident response Audit, assessment and compliance Virtual enterprise and network simulation and testing System integration and assurance Training and skills We are here to help - a Cyber Security partner you can trust: Global network of 1,500 information security specialists, building upon 40 years of experience Extensive domain knowledge of enterprise, defence, transport and energy sectors Trusted to secure 19 of the 20 largest banks and 80% of payment transactions worldwide Contact Us Thales UK Ltd, Mountbatten House, Basing View, Basingstoke RG21 4HJ, UK Tel: +44 (0) 1256 376633 Email: cyber@uk.thalesgroup.com Website: www.thalescyberassurance.com 2013 THALES UK LTD. This document and any data included are the property of Thales UK Ltd. No part of this document may be copied, reproduced, transmitted or utilised in any form or by any means without the prior written permission of Thales UK Limited having first been obtained. Thales has a policy of continuous development and improvement. Consequentially the equipment may vary from the description and specification in this document. This document may not be considered as a contract specification. Graphics do not indicate use or endorsement of the featured equipment or services. Good Cyber is Good Business: The competitive advantage of cyber security - Autumn 2013 19