Everyone is talking about Industry 4.0 and digitalisation. Up and down the country, the business community, lobby groups and politicians are excited about the issue. The basic tone is that anyone who fails to get on board with digitalisation will lose out. On the other hand, we have the issue of cyber security. The British insurance company Lloyds estimates that cyber attacks cost companies around 400 billion US dollars. Juniper Research believes that the costs of data breaches will reach up to 2.1 trillion US dollars worldwide by 2019. Another cause for concern is the fact that these statistics only include attacks that are reported. The World Economic Forum (WEF) says that a significant proportion of cyber crime goes undetected. This is particularly true for industrial espionage, as many attacks are never identified or reported. To find out more about these issues, FIRM spoke to Tom Köhler, an internationally recognised strategy expert in cyber security and an advisory partner at EY, about his assessment of the world of digitalisation. A closely associated theme is the opportunities and risks in the cyber security environment.
Digitalisation has become a key success factor for companies. Almost every company has, to some extent, turned into an IT company. In your last RiskNET presentation you stated that, in many ways, risk management is lagging behind the digital and closely networked world. Where do risk managers need an urgent rethink?
Tom Köhler: More than almost any other issue, digitalisation means that risk managers are faced with complexity and uncertainty. It is a fact that the use of information technology has significantly changed companies' structural and process organisations. What's more, the innovation cycle for hardware, software and services is constantly accelerating. These developments do not stop and wait for cyber security and risk management to catch up. Digitalisation can actually network risks, meaning that risk managers need innovative approaches to deal with dynamic risks. More than ever before, risk managers need closer and more flexible interdisciplinary collaboration with their colleagues from the areas of strategy, governance, information technology and cyber security, in order to detect the networked risks of digitalisation more quickly and to allow them to implement preventive measures. In more simple terms, we need a new systemic approach to confront the security challenges of the networked world.
From a company perspective, you often get the feeling that cyber security is an issue that only has a limited direct impact. It is seen as an issue for other people. What is your assessment?
Tom Köhler: The constant reports of cyber security incidents mean that even companies who have not been affected themselves are very aware of the issue. The burning question is how prepared are companies for a worst case scenario? According to Bitkom, Germany's digital association, only 51 percent of companies have an emergency plan for responding rapidly to the loss of sensitive data, digital espionage or sabotage. It is absolutely essential for companies who want to benefit from the potential of digitalisation in the longer term to be aware of the worst case. Cyber attacks are an integral part of digitalisation and need to be incorporated into strategic business planning. For day-to-day business management, this means that scenario-based simulations of cyber attacks should be practised at regular intervals – so that the assumed weaknesses in coordination and communication processes are identified before a crisis actually occurs.
How do we need to rethink our concept of security in a world of comprehensive digitalisation and networking? To what extent is cyber crime currently shifting to the Internet of Things?
Tom Köhler: It is clear that organised crime on the dark net has become more effectively networked to orchestrate flexible, highly sophisticated and complex cyber attacks. Companies and their defence measures are very inefficient in comparison. Because of hierarchical company structures and limited cooperation mechanisms in the industry, the costs of highly automated cyber attacks are low and criminal gains are very high. This is sure to lead to a further increase in cyber crime. We need a security culture that is just as flexible as that of the attackers, and better orchestrated. The aim has to be to ramp up the costs of cyber attacks through "Security by Design" concepts and, at the same time, to implement better monitoring of networked systems.
How do you assess the human risk factor and appropriate risk culture in this context?
Tom Köhler: People have always developed interesting survival strategies. But we often overestimate our ability to control things and underestimate risks. To date, we have not developed any simple general rules for dealing with uncertainty in a networked digital world. However, these are essential if we want to put in place a preventive security culture in the age of digitalisation. Around five years ago, I worked with the Ludwig-Maximilian University in Munich to develop the Internet Risk Behaviour Index. The aim was to promote secure user behaviour when dealing with online risks. Using a prototype cyber risk simulator, we were able to confront users with actual cyber threats and assess their behaviour. As a result, we were able to highlight to them the risks caused by their own personal behaviour and teach them how to prevent these risks. Unfortunately, the project did not attract further funding. I am convinced that this kind of approach is needed more than ever today if we want to promote networked thinking among users and effective handling of cyber risks. As in so many things practice makes perfect.
In what areas do you believe there is the most need to catch up?
Tom Köhler: People have only a limited ability to identify complex relationships, particularly when they are under time pressure. With advancing digitalisation and the associated increase in complexity, traditional security approaches have only limited effectiveness. From my point of view, the main area where we need to catch up is by developing a systemic approach that takes a networked view of risks. This is particularly crucial for critical future IT infrastructures, such as highly automated traffic control centres for controlling autonomously driven cars. This kind of infrastructure integrates various highly complex systems, including geolocation satellites, ground stations, vehicle electronics, data networks and software components. A cyber attack on just one of the system components can have devastating effects on the security of the entire system and thus on the life of users of connected cars. Some people may think this example is looking too far into the future, but highly networked infrastructures already exist, for example air traffic management systems or smart grids.
This example shows the huge relevance of cyber security in the information society. But where specifically do companies need to catch up?
Tom Köhler: I believe there are five key areas for companies. Firstly, identification of the real – i.e. relevant – cyber risks. A top-down definition of risk appetite and critical information assets is essential for an effective cyber security strategy. They also need a laser focus on actual worst case scenarios. Companies have to assume they have already been hacked. They require a high level of resilience against cyber attacks. In other words, they need to focus their controls and processes more effectively on identification, protection, response and business recovery in the event of cyber attacks. Governance performance is also important. Having policies is good, but flexibly monitoring them is better. Companies need an up-to-date view of their governance performance and risk position. It is essential for managers to receive up-to-date indicators of networked risks, i.e. to their business and IT infrastructure. Optimising investments is a further point. Companies have to accept risks if no budget is available. However, in many cases budget can be made available by redeployment of capital. This requires an assessment of current investments in cyber security and its effectiveness. This enables more long-term investment decisions to be made at management level – for example purchasing of cyber security insurance or investments in innovative cyber security initiatives. Finally, a preventive security culture has to be viewed as a key business performance enabler. Cyber security is not just a technical issue; it demands a preventive security culture throughout the company. How do employees handle sensitive data? How do employees behave if they detect suspected cyber risks? Cyber security must be established as the responsibility of all employees. A preventive security culture is a good starting point for achieving greater risk awareness when introducing new technology and approaches such as bring your own device, BYOD, in a company.
You deal with the negative impacts of cyberspace every day. How do you deal with cyber risks yourself?
Tom Köhler: I have always been fascinated by technological innovations and I use many of the methods available for optimising my day-to-day work. Certainly I have an above average awareness of what can go wrong. But I also know that it only takes relatively minor actions, such as clear behavioural rules, to minimise my personal risk in cyberspace. Sometimes, there's one thing that really helps: "Just switch off".
Tom Köhler is an internationally recognised cyber security strategy expert and an advisory partner at EY. He can look back on a 20-year career in information and communication technology. He developed his expertise in various management positions with leading international IT manufacturers, including RSA, Microsoft, VeriSign and SafeNet. At Airbus Defence & Space, Tom Köhler holds a dual role as Chief Strategy Officer for Cassidian Cybersecurity – with responsibility for Europe – and as CEO Germany in charge of Cassidian Cybersecurity GmbH's operational business. Köhler is also a member of various committees including the Permanent Stakeholder Group of the European Union Agency for Network and Information Security (ENISA).