Companies face cyber threats daily from email scams and phishing to hacks and identity thefts – and these attacks are getting increasingly sophisticated. James Kaplan, IT infrastructure and cyber security expert at consultancy McKinsey, explains why information security should be everybody’s business.

Words: Alannah Eames // Photo: iStock

In 2014 there were 42.8 million information security incidents globally, according to The Global State of Information Security Survey by PwC. This means 117 339 cyber attacks every day. Consequently, it is not surprising security is a hot topic, but what do we really mean when we talk about ‘information security’?

James Kaplan, IT infra­structure and cyber security expert at McKinsey.

James Kaplan, IT infra­structure and cyber security expert at McKinsey.

“There are different terms: cyber security, information security, IT security, but fundamentally they are all about the same thing. Which is how you protect an organisation from the implications of losing sensitive information and compromises to technology-enabled processes,” says James Kaplan from McKinsey.

Kaplan emphasises that all companies get bombarded by cyber attacks. The good news is most of the attacks are unsophisticated and we already have good defences against them. Spam and scam emails, better known as ‘Nigerian emails’, are mostly filtered out of our inboxes and people have learnt to recognise them. More worrying is the growing number of sophisticated attacks, such as professional hacks and phishing emails which try to trick the recipient to give out passwords and other sensitive information.

“We have a much broader and more sophisticated set of hackers than a few years ago,” Kaplan explains. ”We have seen a rise of organised crime groups that treat hacking as a business.”

These groups are in it for the money and they get it by obtaining valuable customer data. And although it might sound like a Bond movie, another growing issue is cyber espionage where hackers are sponsored by nation states to steal information on innovations, critical infrastructure or even defence strategies. Today there are also ‘hacktivists’ who are not after money but motivated by political gain.

While these threats are digital, they can have serious consequences in the real world. Kaplan says falling victim to a hack or a scam can not only cause a company to lose money and intellectual property, but the trust of its customers. This means information security should be considered not only as a technical issue, but as fundamental business protection.

As cyber attacks get ever more sophisticated, Kaplan says the solution is to move towards ‘digital resilience’ where everything in an organisation is designed with security in mind:

“[Organisations must] fully understand which business risks and information assets are the most important and change the behaviour and mindset of people by helping them understand the value of the data they touch,” explains Kaplan, giving a few examples. “Build the capability to respond to a security breach across business functions. Not just in IT, but across marketing, sales, customer services, etc.”

If you still think information security has nothing to do with you, think again. People are often considered the ‘weakest link’ in security. Not only do we share files and emails with large groups of people, but we click on links we shouldn’t, use weak passwords and connect to fraudulent Wi-Fi hotspots pretending to be McDonalds or Starbucks. So the next time you open your computer or smartphone, remember Kaplan’s advice:

“Think about with whom you share information and sensitive documents. Think about what you click on and where you connect to the Internet.”