Speaking at the second Worldwide Cybersecurity Summit in London this morning, Sutherland said that, despite the escalating risk posed by cyberattacks, the risk of commercial data or intellectual property losses are not being given the same priority as 'conventional' business risks.
The problem is so bad, he says, that UK businesses are losing around £17 billion every year to industrial espionage.
The Detica managing director added that, in order to understand the scale of the problem, senior management must not leave the security analysis process to the `bottom up' approach of traditional security.
The result of this conventional approach, he claims, could lead to a flawed risk assessment, particularly with regard to the covert attacks which cost organisations so dearly.
"Our dependence on cyberspace has inevitably increased our exposure to security threats, and as cyberattacks grow in frequency and complexity, it is vital that businesses reappraise their approach to risk management accordingly", he said.
"This means that a more holistic, business-led approach to assessing impact and managing risk is required. With impacts of such potential magnitude to contend with, it's important that business leaders don’t leave their risk managers or IT teams attempting to mitigate these cyber threats alone, but instead take the initiative and actively engage with the challenges faced", he added.
Effective cyber risk management, Sutherland went on to say, is about enabling your security specialists to focus on protecting your organisation's most valuable assets.
Companies, he explained, cannot afford to give equal priority to every corner of the network, which is why it is vital that board-driven risk assessment – separating the assessment of business impact from the assessments of threat and vulnerability – is carried out to determine the true level of risk faced.
To enable risk managers to better assess the threats they face and build a business case for mitigating these risks, Sutherland said that his firm authored a new report titled 'Enemy at the Gate'.
In addition, Detica has prepared five crucial steps to help businesses reappraise their cyber risk strategies:
- What are the potential threats faced? Firms need to establish their potential attackers and determine which threats the business is most likely to face.
- Which assets are most likely to be targeted? Using these scenarios, assess the likely target of each attack – for example, customer databases, intellectual property and internal communications.
- What is the motivation of the attacker? Determine the purpose of the attack – is it to cause disruption or reputational damage, to gain competitive advantage, or to be used for extortion, for example?
- What is the potential business impact? Assess both the direct financial damage and the broader business consequences – such as higher competition, lost business or lower prices - of each attack scenario.
- Which assets require the highest level of protection? Based on your evaluation of potential attack scenarios, identify which assets is high impact and prioritise the protection of these assets.