15 Apr
24 Apr
It is a common view that CEOs are generally risk averse. There is nothing wrong with this. Indeed, if it wasn't for this characteristic in the human species we may not have survived.
Given this basic behaviour it is surprising that many companies appear to be oblivious to the risks associated with Cybercrime. In my straw polling of attitudes of CEOs the more common response is: “Our IT people are on top of it”. I would like to think that all these CEOs are right, yet, the data suggests this is not universally the case.
Cybercrime is increasing every year and the level of incidents is growing rapidly – even exponentially as reported in some papers. In the last month, a plethora of reports have come out on the extent of cybercrime, its increase and even its potential to cause the next global financial meltdown.
A recent article in the Economist “Why everything is hackable”, suggests that computers/software will never be safe and that the crimes will only increase as we connect more and more of our things to the internet.
It argues that the internet and, for that matter, most software is flawed and will always be vulnerable. Most new software sits on top of old systems where security was never a core concern. Consequently, vulnerabilities will continue to exist.
The article also highlights the culture of growth and development of new business opportunities over security. It states that the way developers handle vulnerabilities is to write lengthy complex disclaimers that every software user must accept as part of their use.
While disclaimers may not be legally enforceable it turns out it is very difficult to obtain redress in the courts. In addition, the article argues that even Governments are unlikely to step in and support the users as Governments have mixed agendas relating to software insecurity.
On the one hand, they want security to be strong but, they also like to exploit the vulnerabilities and see software and computers as tools for espionage and surveillance.
It would seem that we are caught between a rock and a hard place.
Be that as it may, Governments and large organisations are addressing the problem albeit in different ways.
The potential solutions range from the simple, like Microsoft encouraging upgrades to safer versions of their software through new types of chips that attempt to bake security in hardware and sandboxing of programs that limit malware affecting other parts of the computer or system.
Perhaps one of the traditional ways companies are taking to managing risks around the costs of cyberattack is using insurance.
It appears this industry is growing at 60% per year and is worth more than $3 billion.
While this may appear as a moral dilemma, the argument presented is that as costs and payout mounts up software companies will be forced to do more to prevent vulnerabilities in their products. At this stage though, insurance offers only limited protection.
It seems clear that there will be a battle between the user and the software developers on where the liability stands and, at some point, regulators will need to step in and define the rules. This will be inevitable as more things are connected to the internet and automated systems are installed. One can imagine that this needs to be worked out before, for example, we have driverless cars on the roads.