Instead of being paralysed by fear of data loss, it’s time to turn the risk of cyber-crime into a business advantage, says Vodafone
Vodafone is hoping to change the way cyber-security products are marketed and sold, following research that highlights the link between cyber security and business success.
Its survey of more than 1,400 businesses reveals that 86% of high-growth companies see information security as an enabler of new business opportunities, rather than simply as a means of defence.
For example, IoT adopters questioned for Cyber Security: The Innovation Accelerator have seen a 24% increase in financial benefits from having strong cyber security, including improvements to their business agility.
Amongst all respondents, good cyber security was valued for a range of benefits:
89% of businesses said that improving cyber security would enhance customer loyalty and trust.
90% said it would enhance their reputation in the market, potentially attracting new customers.
89% said they felt better information security was a competitive differentiator that would help them win customers.
The perceived benefits of cyber security, allied to a heightened risk of attack, are reflected in increased cyber security budgets: 87% of businesses expect to increase spending on cyber security in the next three years; 10% expect budgets to double.
That said, there is still a great deal of confusion in the market: 41% of security decision-makers are uncertain where to get help in dealing with cyber security challenges. This is especially true of smaller business, 60% of which feel badly informed about security.
Business Info spoke to Andrzej Kawalec, Vodafone Group’s Head of Enterprise Cyber Security Strategy & Innovation, about what the survey reveals and how the results will shape Vodafone’s approach to cyber security.
Business Info (BI): Why are businesses unsure where to get help with their cyber security?
Andrzej Kawalec (AK): I think it’s a combination of things. There is an acute lack of cyber-security capability in most organisations and that is felt most keenly in the SME space. Because the vast majority of security services and products, as they stand, are expert-to-expert, they demand a high level of technical and security competence and, individually, address only part of the problem.
Secondly, there is a lack of clear responsibility. There’s a presumption that users and the organisations they represent have a duty of care around data. There’s also a clear set of responsibilities that apply to service providers and organisations that supply the fundamental underpinnings of the data economy. There’s a further set of responsibilities that government and industry associations have around standards and policy and regulation.
Unless you have an army of policy gurus, a huge security organisation and people who are technically very adept at protecting and enabling your information systems, you start to become nervous about who you turn to to address these issues.
Forty per cent of organisations are unsure who can help them with their security challenges and that rises to 60% in the SME space, because they feel so keenly that lack of cyber-security capability and experience.
BI: Do you think that the cyber-security industry is failing its customers?
AK: I think there are a whole new set of challenges and under-served sectors where traditional security providers are not really thinking about their customers. The highly complex, capital-intensive, expert security solutions and systems that work perfectly well for a large global multinational organisation are not the bundled, clear package solutions an SME or SOHO organisation might need.
Our research also shows that new business models are driving a fundamental shift in how security technologies are perceived. High growth companies are using security to enable new business opportunities, rather than just to protect their assets. And that’s how Vodafone thinks cyber-security should be viewed.
You cannot be a high growth company unless you focus on business agility, productivity, customer loyalty, reputation. Being able to charge a price premium because of enhanced security or being able to boost your reputation and customer loyalty are outcomes people wouldn’t naturally associate with a security program. But we found they are central to high growth companies. To be a winner in the digital economy, you’ve got to put security in place.
BI: The cyber-security industry tries to engage people through fear, and I think that might be counter-productive.
AK: There are two unfortunate consequences to using fear, uncertainty and doubt as a gambit. The first is that you scare people into paralysis and the second is that people get a very unclear view of what the risk is. Scare tactics cloud your ability to make a clear, risk-based decision and put you at the whim of the cyber-attack du jour – is it ransomware this month?; is there a GDPR risk?; are we facing a huge new wave of cyber-crime? People need to take a more structured approach and think about what their risk profile is. Fear, uncertainty and doubt (FUD) clouds the issue and forces people into reactive, emotional behaviour.
BI: In your report you outline the four steps businesses should take to become ‘cyber-ready’, including understanding the cyber risk, building a cyber-ready culture, building a cyber security operations function and creating a cyber response and data recovery strategy. Taking these steps, especially the last one, helps protect a business from much more than just cyber threats.
AK: Absolutely. A business could suffer an inadvertent rather than a malicious mistake or outage. One of the most important things you can do as an organisation is to practise and understand how you respond in a crisis. Communicating effectively to stakeholders and consumers and working with law enforcement is one thing; restoring your organisation’s data and systems and putting in resilience is just as important. A business can’t just stop operating for two or three weeks while it works stuff out. That’s one of the things we really focus on – it’s not just the response, as vitally important as that may be; it’s the ability to restore service, to maintain communication with your customers and to enable people to continue to do their jobs. That is as important to resilience as front-end protection, monitoring and detection.
BI: What advice do you have for SMEs looking for a cyber-security supplier; what sort of things should they look for?
AK: Pick a provider that you already have a relationship with, somebody who can help you through those four stages we have identified, who can help you understand your risk and help you build security into your organisation. Security isn’t just a back-office exercise, it relates to how every employee connects with each other, how they all communicate, how they work together, how they share information with partners.
That’s one of the reasons we at Vodafone think we’ve got such a different and interesting role to play in the cyber conversation. At its heart, it’s about people using data, communicating the value of that data to create new business models and to enhance and change old business models. My advice is to allow one or two providers to help you understand your risk and put operational controls in place.
For SMEs, these can’t be expert-to-expert solutions, so one of the things we’ve done is bundle a package of specific security solutions so that they all work together – managing your mobile data, managing your mobile estate, managing and understanding how you’re using a variety of cloud providers. There is huge confusion and complexity in managing a lot of different suppliers, so finding a cyber-security partner who can curate those experiences and those services for you is quite high on the list.
BI: Presumably Vodafone is one such supplier, or do you just cover one part of the picture?
AK: That speaks directly to why we’re really excited by this research. There are very few organisations that touch every bit of that data journey and that digital story. We think we’re one of the few that does. We do two big things: we invest heavily in building security into all of our products – secure by design; we also understand that everybody faces a slightly different threat environment, so we need security services on top of that, right across our portfolio. That’s why we think we’re particularly well placed to talk to people about the challenges they face, be it a multinational global organisation, a government body or a small business. A massive proportion of our business is made up of smaller organisations, SOHO and SMEs that have a different set of challenges but are just as likely to be targeted by cyber criminals. We think there’s an important role for Vodafone to play in that dialogue.
BI: Have the findings of this survey changed how you approach cyber security?
AK: There are two things that really stand out for me, which will inform out future strategy and how we communicate with our customers.
The first is that 41% of large enterprises and 60% of SMEs are unsure about who can help them with information security challenges. For me, that is an industry-wide cry for help that we need to address. Vodafone can take a leadership role in that.
The second, slightly different one is the change in attitudes to data security. The difference in the attitudes of different generations to data loss is quite marked: 63% of over 55 year-olds, today’s decision-makers, fear the loss of data, but among the under 35s the figure is just 40%. We have an educational and a generational challenge to overcome. People must be allowed to use security to address business challenges, but at the same time they mustn’t be paralysed with fear over loss of data.
The full report Cyber Security: The Innovation Accelerator can be downloaded at www.vodafone.com/business/cybersecurityresearch