Breaches are almost unavoidable, so focus on your response, advises cyber expert.

In the pre-Christmas retail frenzy of 2013, US retail giant Target had its cash registers raided.

It wasn't the stand and deliver tactics of old, but the work of 20-something-year-old eastern European hackers exploiting a weakness in the company's point-of-sale system.

Target's fancy new US$2 million malware detection tool, created by a security firm that counted the CIA and Pentagon among its customers, threw up a warning that was ignored at the company's head office.

Hackers stole details from 40 million credit cards and 70 million customer files, but the cost to the business didn't end there.

Advertisement

In the fallout, sales slumped, tens of millions had to be spent on fixing the problem and senior executives and board directors lost their jobs.

Read also:
Target US data breach victims could get up to $10K each from court settlement
114 Kiwis hit in web attacks

Last week the company settled a class action, promising to pay affected customers as much as US$10,000 each, to a total of US$10 million.

Large-scale, public and expensive hacks like this have put cyber security firmly on the radar of chief executives.

The most recent Annual Global CEO Survey by accounting and consulting firm PwC found 66 per cent of New Zealand chief executives were concerned about cyber security - two-thirds more than a year ago.

The numbers are on a par with their executive counterparts around the world.

What's changed, says PwC partner and cyber security specialist Adrian van Hest, is that security threats were previously seen as a technical issue, but as technology becomes an intrinsic part of businesses, the threat of disruption has become a strategic issue.

The multimillion-dollar project, the loss of brand values, the impact to sales; I think that's the bit that people now are cottoning on to - that in this digital domain trust is really key and if you lose your client's trust, whether that be a government or an organisation, it can be your most valuable asset.

"I think what has come to the fore over the last two or three years is when you have a digital risk come to fruition the impact is phenomenal." Van Hest says the combined cost to Target has been estimated at about US$500 million.

"That wasn't just the incident itself, which is how people have perceived it in the past, but the knock-on effect of 'what do we need to do to fix this?'.

"The multimillion-dollar project, the loss of brand values, the impact to sales; I think that's the bit that people now are cottoning on to - that in this digital domain trust is really key and if you lose your client's trust, whether that be a government or an organisation, it can be your most valuable asset."

Those who contend a big security breach in the US has no relevance here are looking at it all wrong, says van Hest.

Cyber threats don't respect country borders, he says, and New Zealand businesses need to look at their global peers, those companies using the same infrastructure and systems.

The benefits of integrating technology into business functions are undeniable. Most CEOs here and overseas questioned by PwC reported that digital technology was creating value for their organisations in areas such as brand and reputation, customer experience and innovation, as well as operational efficiency.

The downside has been a resulting boom in cyber-crime, with detected incidents around the world, growing by close to 50 per cent to 42.8 million in 2013.

Van Hest says it's a symptom not only of the pervasiveness of technology in organisations, but the move away from proprietary networks accessed and understood by only a handful of people in the business, to commoditised services, be they Apple devices and Windows PCs or industrial systems in common use the world over, all with a connection to the internet.

"The prevailing strategy for managing your digital risk and/or doing cyber security has been this notion of 'prevent'.

"It's been on the basis that we've approached digital security like physical security; it's been: throw a big barrier around, build a hard exterior and you can have a GUI [graphical user interface].

"What has happened is we've punched so many holes in that to enable mobility, to commoditise, to connect to the internet, to share with partners; all these things which make really good financial sense have rendered that kind of approach just not applicable in all domains."

If you're doing ecommerce, communicating with partners, going mobile, using a remote workforce and partnering with organisations in other territories, then using the "prevent" approach doesn't work, says van Hest.

Instead, he says, focus not only on protecting, but detecting breaches, responding and remedying or recovering important organisational data.

"Because, to be honest, what cost the Target guys their jobs and what cost a few other organisations ... they failed in their response."

Van Hest says it has become impossible to stop network breaches so businesses now have to know when an incident has occurred, respond quickly and recover as best they can.

"I think that's the bit that has been really hard for the practitioner community and the technology vendors and everybody to come to terms with, which is that actually it's not that we give up on prevent but we've got to acknowledge we've reached the point where almost every security control we can conceive and the work environment we live in just doesn't work with prevent."