It’s time to turn the risk of cyber-crime into a business advantage, says Vodafone
Vodafone is hoping to change the way cyber-security products are marketed and sold, following research that highlights the link between cyber security and business success.
Its survey of more than 1,400 businesses reveals that 86% of high growth companies see information security as an enabler of new business opportunities, rather than just as a means of defence.
For example, IoT adopters questioned for Cyber Security: The Innovation Accelerator have seen a 24% increase in financial benefits from having strong cyber security, including improvements to their business agility.
Amongst all respondents, good cyber security was valued for a range of benefits:
89% of businesses said that improving cyber security would enhance customer loyalty and trust;
90% said it would enhance their reputation in the market, potentially attracting new customers; and
89% said they felt better information security was a competitive differentiator that would help them win customers.
The perceived benefits of cyber security, allied to a heightened risk of attack, are reflected in increased cyber security budgets: 87% of businesses expect to increase spending on cyber security in the next three years; 10% expect budgets to double.
That said, there is still a great deal of confusion in the market: 41% of security decision-makers are uncertain where to get help in dealing with cyber security challenges. This is especially true of smaller businesses, 60% of which feel badly informed about security.
Andrzej Kawalec, Vodafone Group’s Head of Enterprise Cyber Security Strategy & Innovation, attributes this confusion to a combination of factors.
“There is an acute lack of cyber security capability in most organisations and that is felt most keenly in the SME space. Because the vast majority of security services and products, as they stand, are expert-to-expert, they demand a high level of technical and security competence and, individually, address only part of the problem,” he said.
“Secondly, there is a lack of clear responsibility. There’s a presumption that users and the organisations they represent have a duty of care around data. There’s also a clear set of responsibilities that apply to service providers and organisations that supply the fundamental underpinnings of the data economy. There’s a further set of responsibilities that government and industry associations have around standards and policy and regulation.
“Unless you have an army of policy gurus, a huge security organisation and people who are technically very adept at protecting and enabling your information systems, you start to become nervous about who you turn to to address these issues.”
He believes that the cyber-security industry should be doing much more to allay these fears – in the products they bring to market and in how they address their customers’ needs.
“There’s a whole set of under-served sectors where traditional security providers are not really thinking about their customers. The highly complex, capital intensive, expert security solutions and systems that work perfectly well for a large global multinational organisation are not the bundled, clear packaged solutions an SME or SOHO organisation might need.
“Our research also shows that new business models are driving a fundamental shift in how security technologies are perceived. High growth companies are using security to enable new business opportunities, rather than just to protect their assets. And that’s how Vodafone thinks cyber-security should be viewed,” he said.
“You cannot be a high growth company unless you focus on business agility, productivity, customer loyalty, reputation. Being able to charge a price premium because of enhanced security or being able to boost your reputation and customer loyalty are outcomes people wouldn’t naturally associate with a security program. But we found they are central to high growth companies. To be a winner in the digital economy, you’ve got to put security in place.”
He suggests that promoting the positive consequences of good data security might be a more productive approach for vendors and resellers than customer engagement based on fear, uncertainty and doubt.
“There are two unfortunate consequences to using fear, uncertainty and doubt as a gambit. The first is that you scare people into paralysis and the second is that people get a very unclear view of what the risk is. Scare tactics cloud your ability to make a clear, risk-based decision and put you at the whim of the cyber-attack du jour – is it ransomware this month? is there a GDPR risk? are we facing a huge new wave of cyber-crime? People need to take a more structured approach,” he said.
Kawalec recommends a four-stage process to becoming cyber-ready – understanding the cyber risk; building a cyber-ready culture; building a cyber security operations function; and creating a cyber response and data recovery strategy – pointing out that guiding customers through this process will prepare them for other business continuity risks.
“One of the most important things you can do as an organisation is to practise and understand how you respond in a crisis. Communicating effectively to stakeholders and consumers and working with law enforcement is one thing; restoring your organisation’s data and systems and putting in resilience is just as important. A business can’t just stop operating for two or three weeks. It’s not just the response, as vitally important as that may be; it’s the ability to restore service, to maintain communication with your customers and to enable people to continue to do their jobs. That is as important to resilience as front end protection, monitoring and detection,” he said.