Today, anyone leading a significant company needs to understand that dealing with cyber crime is a reality

"Cyber" is an overly-sanitised term. When we talk about cyber, we're talking about conscience-free criminals who wouldn't think twice about taking a company down, costing jobs and potentially compromising the pensions of thousands who invest in these companies.

Cyber criminals are highly organised, well-resourced and highly motivated. Each year they cost global businesses more than US$600 billion and are on track to cost US$2 trillion per year by 2020. That's ten times New Zealand's GDP.

Speaking at a recent cyber security conference in Auckland, Prime Minister John Key revealed 856,000 New Zealanders (or one person in five of us) was affected by cyber crime in the past year at an estimated cost of $257 million.

A few years ago, engaging directors and senior executives in a conversation about cyber security was a challenge. Although the threat was emerging, it remained largely academic and was viewed as somebody else's problem.


Fast-forward to 2016 and what a difference time - and a raft of high-profile, multi-million-dollar, customer and brand impacting cyber-attacks - has made.
In the wake of the very public Sony and Target debacles, and last month's crippling denial-of-service attack on US and European internet services, and the emergence of day-to-day ransomware and whaling campaigns against New Zealand businesses of all size, it's clear that everyone is fair game. New Zealand businesses are being successfully targeted with million-dollar attacks.

Directors and executives now understand cyber is a day-to-day reality and that plausible deniability is no longer an option. Today, anyone leading a significant company is reasonably expected to understand that methodically dealing with cyber crime is a basic reality in 21st century business.

Many also accept that absolute security is no longer a credible ambition. The goal now is to reasonably mitigate the risk and prepare to deal with the consequences when an attack succeeds.

The challenge is figuring out what is reasonable and recognising that after an attack, your customers and shareholders will be the harshest judges of your efforts.
A good starting point to determine what is reasonable is to understand today's cyber reality. This means understanding the threat in general and how it applies to your business.

Some businesses have a dirty little secret around cyber. They're aware of the risk posed to their customers, shareholders and staff but choose to do little or nothing to reasonably address the risk.
There are a good reasons for this, including not knowing where to start, not understanding how to do it and/or not having the capability to deal with it. All are valid but none would offer much comfort to shareholders, customers or employees in the event of an attack.

There are five key steps company leaders can take to arrive at a reasonable response to cyber. The good news is that many will be familiar to anyone with any experience of mainstream risk management for a medium to large sized organisation.

The first step is understanding what is most valuable so efforts can focus on protecting it. If organisations don't understand this, they risk building $10 fences around $5 horses, wasting money on protecting things that matter relatively little.

This step is not complex and, for many companies, it can be based on mainstream risk processes. Simply build an inventory of everything that could be impacted by a cyber-attack, then classify each item according to its importance.


The list should include things like brand, share price, customer security, competitiveness, production technology and IP, as well as usual technical solutions.

The next step is to understand the risk. There are huge numbers of cyber threats but it's not practical nor commercially sensible to attempt to consider and manage all of them.
This step will identify threats that are worthy of most attention - the fights worth fighting. It is mainstream risk management; only the content is different. If you don't have the cyber knowledge within the company to do this, hire it in.
It's also worth understanding that cyber is different from other business risks in that it's evolving and growing rapidly, and it is goal oriented.

This is important. Cyber criminals are highly motivated and attacks can be very persistent. They can, and do, continue for months or even years until the attackers achieve their goal. This relentlessness is a key reason cyber is worthy of reasonable attention and response.

Only once the risk is well understood can leaders decide what is is reasonable for their customers, staff and shareholders. If the board and executive think the risk and the organisation's ability to respond is acceptable, then little additional action may be required, for now.

If it the board and executive decide the risk is unreasonable, they have a rational basis to more specifically define what would be reasonable. If there is an attack, this is where you can demonstrate you have made an effort to be reasonable.
If the current risk isn't reasonable, the next steps is to formulate a plan to mitigate it. Because few companies have the financial or delivery capacity to do all they might want to, it's important to create a realistic, balanced and workable cyber plan.
Typically, organisations define a two to three year roadmap to methodically address the risk in a controlled and cost efficient way. A common risk for companies at this point is selecting great cyber solutions that are not fit for their context. Push your teams to demonstrate specifically how they will make a difference to your company's cyber risk.
So what's the catch? There are a few.


Although cyber crime is a day-to-day issue for many, it is still largely a risk-management activity. This means cyber sits below almost every revenue-generating and regulatory compliance demand on the investment plan. As companies and customers feel more impact from cyber-attacks, this will need to change.


Globally, it's estimated there is a shortage of more than 500,000 cyber professionals and New Zealand is short on skills also. If you don't have the people in-house to do this work, you will need to rent help if you need to. This applies at all levels. If the executive or board are not cyber-experienced, get some knowledge onto the team before you really need it.


Cyber capability can be costly but it's worth understanding there are lower-cost ways to address the risk. Cyber awareness and incident response capabilities are good examples of relatively non-technical actions that can make a significant difference without breaking the bank.

As we digitise New Zealand to compete globally, cyber crime is a non-negotiable fact of business life. Customers and shareholders will expect organisations to make a reasonable effort to deal with it.

If you've identified the risks but can't afford to do anything, then doing nothing may be reasonable. On the other hand, if you understand there is a risk and have the means to address it but choose not to, you may be judged more harshly should the worst happen.

In deciding what is reasonable, ask yourself this: after a significant security breach, could I stand up in front of my customers, shareholders and staff, and say, "We understood that this could happen and we did what we could to mitigate the risk. We're not happy that this has happened but because we were prepared, we're dealing with this as best we can".
The bottom line is that cyber is an endless stream of disappointment for business. This is an important point. If you ever aspire to becoming happy about anything to do with cyber, you're putting yourself in a difficult spot.

A company should view cyber as a gigantic pain. You're forced to spend hundreds of thousands of dollars - even millions - fighting remote criminals against whom you've got no redress. You don't know who they are, or where they are, and even if you did, nobody is going to do anything about it.
So aspire to being less angry and set realistic bars. Making a reasonable effort and managing expectations is the key to getting it right.

Ken Wallace is EY's New Zealand practice leader for Technology Risk and Assurance and a part of its financial services leadership team.