Can good cyber be good business?

More UK businesses than ever are facing the threat of losing confidential information through cyber attacks, according to recent researched backed by the UK Government. The 2013 Information Security Breaches Survey found 93% of large businesses and 87% of small businesses experienced a cyber security breach within the last year. The average cost of significant security breaches for small organisations was £35,000 to £65,000. For large organisations the equivalent cost was £450,000 to £850,000. Such attacks could prove catastrophic for the profitability, if not the viability, of a business.

As a result of such reports, organisations are increasingly aware of the risk posed by cyber security - the act of protecting computer systems and data against loss, manipulation, damage and theft from malicious sources. This is achieved through hardening systems, applications and people against threats and ensuring processes apply these defences rigorously.

But even cyber-aware organisations can be unfamiliar as to how good cyber security can be good business. Concerns over risk and cost too often prevail over recognising how good cyber security can be a source of comparative advantage, a product differentiator, a brand asset, and a business opportunity. This approach requires bold and strategic thinking. For example, a recent report found that more than half (58%) of European mid-sized firms say they would refuse to do business with a company that had suffered a data breach.

Business risk

By way of comparison, consider the evolution of Quality as a discipline. Historically, quality was considered as a necessary cost of doing business. Over time, however, the best run businesses have used a structured approach to quality to contribute to improved business performance. If "good quality is good business”, why should we not apply the same benefits approach - and continuous improvement mentality - to cyber security?  Cyber-security is a business risk and should be treated accordingly.

The UK Government has assessed the Cyber threat to British industry as a Tier One national security threat. This is based on both the huge cost to UK business and the threat to Ministry of Defence intellectual property held by industry, which has been subject to systemic espionage attack. This is has led the Government to cooperate with industry in the creation of the Defence Cyber Protection Partnership (DCPP), mandated by the Secretary of State for Defence and the Defence Supplier’s Forum. It includes the UK’s prime defence suppliers: BAE, BT, CGI/Logica, EADS, HP, Lockheed Martin, Rolls Royce, Selec-ES, and Thales.

But this unprecedented Government-industry cooperation goes beyond the Defence sector. With many SMEs now primary targets for cyber attacks, the UK Government’s Department for Business, Innovation and Skills (DBIS) announced in April 2013 that it would make available half a million pounds of funding to aid SMEs in developing their cyber security posture. Following an initial run until July 2013, the scheme was been re-opened and extended until October 2013, such was the positive uptake. It is hoped that further extensions will be announced.

The Innovation Voucher scheme represents an excellent, possibly unique opportunity for SMEs to assess their current IT operations and infrastructure, procure government-grade security and network architecture review services, and through implementation support.

SMEs can apply for up to £5000 in the form on an Innovation Voucher, which they may use to contract external cyber security companies and consultants to help them increase their cyber security awareness and defence systems. The vouchers are only available to small and medium enterprises that do not have internal cyber security expertise, and must spend the grant through a new external supplier. Thales supports the Government’s Innovation Vouchers scheme.