Most businesses understand the normal risks of competition, and an increasing number have sophisticated financial and operational risk management functions. A few may even be alive to the threat of industrial espionage.
Cyber-risk – or information security risk – is different. It arises from the hostile actions of human attackers bent on disabling or defrauding their targets. Few non-financial companies have had much experience of defending themselves against deliberate, intelligent and evolving threats. Banks of course have.
Unlike almost every other private-sector business, banks are used to being attacked. But, as one bank chief information security officer (CISO) puts it: “Banks have always been in the crosshairs. Yes, today it’s ransomware and digital attacks, but previously it was paper-based cheque and mortgage fraud and even guys with guns. So it’s baked into our DNA that we are a target.”
However, as the former CISO for corporate functions and trading at a large oil company, shortly to be found at one of the big four UK clearers, points out: “One difference between the cyberworld and the physical world is that the cyberworld evolves 1,000 times faster – so the time in which you have to understand and keep up with the threats is tiny compared to other operational risks.