I remember a number of years ago sitting with a FTSE 100 CEO whose company was being threatened by a hostile takeover. He showed me his pay-as-you-go mobile phone and explained that whilst the deal was going on, he had been advised to change his phone every week to prevent phone tapping. Of course, this type of security risk today now feels positively antiquated. More and more, I am hearing CEOs and their boards voice new concerns about increasingly pressing security risks in their organisations: terrorism, cyber-attacks, supply chain contamination, data breaches and fraud, to name but a few.
While companies have always taken security seriously, the sheer volume of threats today has put business leaders on alert like never before – and of course, these risks are felt acutely in consumer-facing industries. Consider what is at stake: huge store estates, often with very high profile flagship locations; thousands of employees, possibly with teams in remote and unpredictable geographic locations; complex global supply chains, dependent on inputs from many partners and suppliers; logistical operations, working 24 hours a day, 365 days per year; sensitive data held on millions of customers. The list is endless.
As these threats mount, companies find themselves at risk of events that could cause severe disruption, damage or worse.
We are all acutely aware of the awful spate of terror attacks that have hit the UK in the last year alone. Of course, ultimate responsibility to prevent such attacks rests with our public authorities. However, our industries are now required to play their part – such as through an upweighted visible deterrent security presence, taking appropriate preventative action and, in the worst-case, partnering with an authority to deal with the aftermath of an atrocity.
Recent research by insurance broker Arthur J. Gallagher and YouGov found that 8% of large UK company respondents had experienced a terrorism threat in the last two years, with 22% expecting to face one in the next 12 to 18 months. Yet only half of the large businesses surveyed said they had tested their crisis-response systems in the last six months, despite the UK threat level currently standing at ‘Severe’.
Besides the terrorism threat, cyber-attacks are growing in sophistication all the time. This year the operations of large corporates such as Equifax, Reckitt Benckiser and Maersk were disrupted as a result of major cyber-attacks, not to mention the global ransomware attack that shut down large parts of the NHS. When you consider for example that Tesco’s Clubcard has 17 million members – and the depth and colour of personal information such loyalty schemes reveal about customers, it is only a matter of time before consumer companies become as much as a target for hackers and fraudsters as financial institutions are already.
A number of recent studies suggest businesses may not be taking cyber security threats as seriously as they should. For example, a report by PwC found that UK business budgets for cyber security are down by a third on what they were this time last year, despite the rising threat of attack. More than a quarter of businesses stated that they did not know how many cyber-attacks they had suffered in the past year, while one in five firms were found to have no preparation drills in place in the event of a cyber-attack.
Rahul Powar, founder and CEO of data analytics platform Red Sift, tells me the impending introduction of GDPR (General Data Protection Regulation) from May 2018 has further increased the risks associated with a cyber-attack. While public market reactions and reputational issues are well documented, Rahul believes the severity of new penalties will force companies to re-think their data security.
“GDPR changes the profile significantly, firstly because of the size of the penalties as of May 2018 and secondly because of the right to private enforcement,” he says. “This means that customers will now have the right to sue for compensation for data breaches. To put a data breach in context, Three mobile lost over 200,000 customers details. While a penalty would be painful, a class action of that magnitude could be crippling and much harder to insure against. I believe more attention needs to given to GDPR in post-compliance scenarios.”
The risk of supply chain contamination is rising too. For example, earlier this year production at a Coca-Cola plant in Northern Ireland was halted when a container of cans thought to have arrived from Germany was found to include ‘human waste’. Likewise, egg production throughout all of Europe was severly disrupted after an insecticide harmful to human health was supplied to farmers. Some 700,000 contaminated eggs were thought to have reached the UK. More recently, 2 Sisters – one of the UK’s largest suppliers of supermarket chickens – was forced to suspend production at one of its main processing plants after undercover filming revealed poor hygiene standards and food safety records being altered.
“GDPR changes the profile significantly, firstly because of the size of the penalties as of May 2018 and secondly because of the right to private enforcement” – Rahul Powar, founder and CEO, Red Sift
From a talent perspective, our sectors have prepared and protected against this myriad of threats in a number of ways. Some businesses, particularly with a financial services element, have appointed a chief risk officer. Others have appointed a security director – whilst others still have upweighted their risk committee (generally a sub-committee of audit) to provide broad leadership responsibility for security across the business. However, as a sector, are we doing enough – and with the right human resources – to address these challenges?
Firstly, from an organisation design perspective, does the role sit in the right place within the organisational hierarchy to ensure security-related issues are sufficiently prioritised? In banks and other financial services organisations the role in some guise is likely to be elevated to the main operating board. In consumer organisations, the role generally sits at board minus 1 or minus 2 – reporting into either the CFO, general counsel or HR director. Whilst of course security is a standing item on most risk committees, I suspect that the role’s organisational standing means that these risks are possibly not given due prominence on a day-to-day basis.
Secondly, are we trying to cram too much into the role? I remember speaking with one ‘security director’ recently who spends most of his time on internal investigations (mainly fraud-related) and on combatting counterfeit goods – with little time to plan and strategise for the types of risks identified above.
Thirdly, do we have the right talent in these critical roles. Most security directors/ chief risk officers come from one of two backgrounds. They either come up through an audit or risk compliance career path – or they come from the defence or security services. Those from a risk-based approach often have little expert knowledge of the aspects of security they are advising on – although, of course, they deploy processes to clinically manage risk.
Those from a defence/ police background may be hugely effective as a member of the intelligence services yet, at least initially, will have little or no understanding of corporate life and how to be effective in a corporate setting. Additionally, many candidates from a police background have real depth in issues such as terrorism, but often hardly any depth in other issues such as a cyber security.
“As a sector, are we doing enough – and with the right human resources – to address these challenges?”
Indeed, generally, few group-wide security directors will have real depth in handling cyber threats. Whilst of course, such expertise often sits within the IT function of the business, without deep knowledge of these issues can a security director really provide the proper governance, challenge and standards required for corporate security?
Lastly, how should companies keep up with ever-evolving threats? The skills required of security directors are changing all the time, reflecting advancements in technology and the evolving nature of attacks. We need to ensure we are offering our most senior people the opportunity to remain cutting-edge in their delivery. Historically, as a sector, we have hired externally to ensure we have the right talent – however, as the security needs of consumer-facing industries become more specific and defined, surely we will need to become better at developing and training our own security leaders of the future?
As the threat level increases on multiple fronts, perhaps consumer companies need to look again at how they manage risks – and in particular, whether the security function deserves a re-think now, before a re-think might be tragically forced upon them.