Abstract representation of light.

Information Security Trends that Maximize Competitive Advantage

An Ankura Research Report

October 25, 2018

Introduction

We asked more than 350 general counsel, outside counsel, and technology professionals around the globe about their approach to safeguarding critical business information. Most agreed that a proactive approach to setting up the processes, systems, and services required to minimize risks is the right way forward. Read more to learn about the steps you can take to improve your information security risk profile.

Key Findings

  1. 47% of respondents feel they are proactive in their approach to cybersecurity.
  2. 81% of all respondents expect to improve their risk profile in 2018.
  3. Respondents rank data management and threat detection and response software as the most useful tools.
  4. Unauthorized access, disruption, and destruction pose significant risks to business.

The information held by businesses is the lifeblood of all operational decision-making, including innovation, competitiveness in the marketplace, and trust with customers, third parties and regulators.

The ability of every business to keep their information secure is therefore vital to their long-term success.

Cybersecurity

Cybersecurity is the term used to describe the security measures put in place to protect information technology (IT) infrastructure such as personal computers, personal devices, servers, and databases. Robust cybersecurity enables businesses to depend upon their IT systems’ ability to reach the marketplace.

Information Security (InfoSec)

InfoSec is a broader term than cybersecurity. InfoSec encompasses all the risks to all the information held by a business. In particular, it places great importance on maintaining the confidentiality, integrity, and availability of information.

This holistic approach to security includes keeping paper documents, intellectual property, personal information, and financial details confidential; preventing outsiders from accessing, disrupting, or destroying data; and keeping information available to those inside and outside a company who need it.

The threats to business information can result from disgruntled employees, hackers breaking into information systems, the theft of intellectual property, and ransomware.

It is possible to address each of these threats using a variety of countermeasures such as strengthening administrative control, segmenting or backing up databases, and encrypting information so that only designated people can see it.

Human Error/Failure

Many threats to InfoSec originate from human error.

During our interview with Mark Camillo, head of Cyber, Europe, Middle East, and Africa at AIG, he advised: “In most cases, a cyber liability claim is triggered by a human failure. These failures might include clicking on a link that introduces malware to an IT system, making a coding mistake, or inadvertently sending an email to the wrong person. Hacking and human error are probably the two biggest causes of loss that we see.”

It therefore makes sense to minimize the scope for human error or failure through training and raising awareness and to support this effort by investing in some of the latest technologies that add protection against specific threats. 

Global Threats

With the advent of the digital information age, a high proportion of the information that a business holds may be accessible from anywhere in the world via the internet. This greatly increases convenience and day-to-day productivity, but also opens up corporate computer systems to global threats such as hackers, viruses, denial of service attacks, ransomware, identify theft, and other unauthorized attacks.

These diverse threats are constantly mutating and can impose real costs on both individuals and businesses.

Three Examples of Threats to Business Information:

  1. Ransomware can cripple a business after a single person innocently clicks on malware hidden within a social media link. Hundreds of workers can subsequently lose access to their networked computers until a ransom has been paid in an obscure cryptocurrency.
  2. Personal healthcare identification or personal identifiable information, such as a date of birth or Social Security number, can also be stolen and used to create false identities, which are then used in frauds or to facilitate various forms of criminality. Unless businesses are well prepared, customers can unknowingly suffer identity theft and be financially impacted by it through no fault of their own.
  3. Cloud application services provide organizations with key advantages from a cost, ease of implementation, and access perspective, but also create opportunities for unauthorized third parties to easily access data. Organizations must properly secure cloud applications to ensure that they maintain a high level of security. They cannot rely on the cloud service provider to perform this function.

Risk Profile

When a business wants to improve their information security, it makes sense to start by evaluating the cyber risks they face and understanding their risk profile.

They can then develop security measures that are proportionate to the size of their company, the value of their trade secrets, and risks facing their geographic location.

Threat Responses

Internally, businesses can ensure that they use ‘endpoint monitors’ to regularly assess the state of network devices (endpoints) by monitoring their status, activities, software, authorization, and authentication.

A business can also hire external specialists to provide the latest expertise and services, which may not exist within their own business. For example, penetration companies can be hired to infiltrate computer systems, without assistance, and to inform businesses of where and how they are vulnerable.

These penetration companies can also be rotated, so that different attack strategies and tactics can be tried and defenses kept up to date.

Artificial Intelligence

Over the past few years, new information security tools and services have been developed that make it possible to use computer-based machine learning, deep learning, and other forms of artificial intelligence (AI) to identify threats and respond to many of them automatically.

As Stephen Allen, the Global Head of Legal Service Delivery at Hogan Lovells, highlighted in our interview:

“Machines will always be quicker than humans at spotting potential trends because they can review vast amounts of data. Where humans beat AI is in their ability to make genuine experienced-based judgments.”

This observation suggests that ongoing integration of humans and technology will be an important trend in the years ahead, and likely to play an increasingly sophisticated and subtle role in enhancing the scale of information security that can be undertaken by emerging legal technologies. Humans will be liberated to think creatively and strategically about the evolving threats that may need to be countered and the business opportunities associated with maintaining top-notch information security.

Survey Demographics

The analysis we provide in this report has been derived from an international survey of 351 senior legal and technology professionals, from across a broad range of industries, with annual revenues ranging from $100 million to over $5 billion.

Please see a full summary of the survey’s demographics and interviewees at the end of this report.

Securing Your Information: Approach and Tools for Defense

One of the best defenses for businesses that want to keep their information secure is to be proactive in setting up the processes, systems, and services required to minimize risks.

Proactive Approach to Cybersecurity

It is important for businesses to adopt a proactive stance when it comes to keeping information secure, and to do all that they sensibly can to identify and assess any vulnerability before hackers or rivals can exploit them.

In our survey, 47% of all respondents think their businesses have a proactive approach to cybersecurity. These companies not only have a competitive advantage over rivals, but also are better able to ensure the smooth running of their own business.  This is a positive sign, but also means that half of the businesses that our respondents work for are waiting for a cyber-related problem to occur rather than trying to prevent it.

Do you think your business cybersecurity approach is proactive or reactive?

Bar chart showing business cybersecurity approach.

Degrees of Proactiveness

When we further examine the results, we find that of the proactive respondents, 61% are continuously updating their cybersecurity. Of the remaining 39%, only a quarter are waiting 7-12 months before updating, with the rest continuing to update every 1-6 months. These are encouraging signs that companies are taking the threat of cyber disturbance seriously, but still leave open the need to be reactive if an attack falls between the gap in updates.

How often does your business update its cybersecurity?

Bar chart showing how often business upgrade their cybersecurity.

Reactive Approach to Cybersecurity 

It is often difficult to appreciate the value of backing up important databases or investing in information security until a data breach has occurred.

Unfortunately, once information about a game-changing invention or new business model has been stolen, it is likely too late to put things right. You can spend money now, or you can lose a lot more later. Regardless, you will still have to invest in cybersecurity.

Interestingly, of the respondents that tell us their business is reactive when it comes to updating their cybersecurity, over three-quarters (76%) appear to be updating their cybersecurity on a yearly basis.

This overall result suggests that many of the more reactive businesses are still signing up for third-party services. If these services are of sufficiently high quality, then it may suffice, but clearly there is room for greater engagement and improvement.

The 22% of reactive respondents who say their business is updating cybersecurity sporadically are at elevated risk and perhaps feel that they are less of a target due to size or importance.

The 1% of respondents from businesses in the United States and 2% in the UK that are waiting until after security breaches are at great risk and given the lack of any kind of contingency plan would most likely suffer severely in the event of an attack.

Do you think your business cybersecurity approach is proactive or reactive?

Bar chart showing percentage of businesses that are reactive about cybersecurity.

Do you think your business will improve its information security risk profile in 2018?

Information Security: Risk Profiles

On a very positive note, when we asked our respondents if they think their business will improve its information security risk profile during 2018, a massive 81% answered in the affirmative. This is encouraging and shows that information security is climbing up their decision-makers’ list of priorities.

It is understandable that businesses are hesitant to spend, in some cases, large sums of money on security measures that are difficult to value financially (without a breach occurring) and may only be briefly effective before becoming outdated. However, a breach has the potential to paralyze a company, which would not only cause operational and financial losses in the immediate term but also, perhaps more importantly over the long term, have a reputational impact.

Businesses need to build a reputation that at the very least ensures they are not viewed as a cyber risk.

Reinforcing a strong ’we are prepared‘ message can be achieved by undertaking regular cyber attack tests and familiarizing all staff with the information security tools, plans, and procedures for coping with different types of data breaches.

Cyber Risk Insurance

Cyber risk insurance has become a growth industry as businesses have become more aware of the costs of data breaches. Mark Camillo told us: “AIG provides 24/7 support. Within one hour of a call, we can provide companies with access to forensics, legal, PR if they need it, and also cyber extortion / crisis expertise. We do that even without a retention. For the first 48 / 72 hours, we’re paying for this, because we want to contain the problem quickly. Ideally, we want to minimize the impact and have the insured back up and running as quickly as possible.”

Shay Simkin, CEO of Howden Insurance Brokers, added that different cyber risks can be insured: “Most policies are very wide and cover three main segments: first-party costs —  costs caused by problems such as business interruption, data restoration, and extortion; third-party costs — which can include claims brought against a firm by those affected by its breach; and finally, instant-response costs — those expenses that directly relate to an incident, such as technological support and public relations costs.”

According to Simkin, the process of applying for cyber risk insurance can be quite helpful, even if a claim is never made: “For insurance policies worth between $3 million and $5 million, an applicant would probably need to fill out a basic questionnaire, which includes around 25–30 questions. These questions would focus on the firm’s procedures in relation to cyber or information security.

“To obtain cover worth between $5 million and $15 million, an applicant would need to supply much more information. For example, they may need to show that they have performed a penetration test, have a business continuity and disaster recovery plan in place — which is tested, and have educated their employees about common cyber threats, such as phishing attacks.

“Firms who need more than $30 million of cover are entering a very different territory and would be expected to provide a lot of information. Some underwriters may also ask to speak to a firm face-to-face.”

10 Steps to Information Security

Chart showing ten steps to information security, 1 Risk assessment 2 Data inventory 3 Plan for data breach 4 Info-safe culture 5 Two-factor authentication 6 Role-based access 7 Personal data use rules 8 Data backup and recovery 9 Cyber risk insurance 10 Segment data

Crisis Management

Another growth area is providing a crisis management advisory service to businesses after a data breach. Jonathan Hawker, a director at Slate Campaigns, recommended the following under such circumstances: “All communication must be informed. Never speak without facts and a position. Speed is important, but accuracy is more important. Anyone who communicates in a crisis without making a concerted effort to get to the bottom of the situation — as far as possible — is taking an enormous risk of being exposed later on in the process. Getting hold of the correct information is more important than the race to communicate.

“It also helps to have a solution-focused rather than blame-focused culture and to make your mistakes in private through a properly conducted training session.”

Types of Information Security Breach

When information security breaches occur they can cause different types of harm. At one extreme, breaches can result in the unauthorized destruction of data, and in our survey 33% of respondents named this as their top concern. Unauthorized disruption, such as data systems no longer working, can also be very serious and is highlighted by 24% of respondents as their top priority. Unauthorized disclosure, such as the inappropriate sharing of confidential information, is seen as similarly important by 22%.

The most surprising result for this survey question was that only 21% of our respondents prioritize unauthorized access above everything else.

In reality, a hacker stealing intellectual property, such as the new design of a jet engine, can cost billions of dollars and be catastrophic for the very largest businesses.

These results suggest that there is a gap between the perception of what matters and the reality of what actually matters, something for businesses to be aware of if they are serious about effectively protecting their most important information.

In order of importance, which information Security breach would be of most concern to you?

Chart showing which security breach would be of higher importance.

Information Security Tools

When it comes to the information security tools that would help companies the most, data management and threat detection and response software come out on top.

Data management is highlighted by 33% of respondents and involves collecting, structuring, and storing data efficiently. Now that so much data is being generated by businesses of all kinds, it is vital that systems are designed to handle ’big data‘ and standardized so that it is easy for them interact with each other, and be upgraded, as smoothly as possible.

Threat detection and response software is the next information security tool that respondents highlight (24%). This reflects the importance of responding to threats quickly and solving problems before they can spread and compromise data, as well as the need to match appropriate responses to specific threats.

Mobile and cloud security (20%) are becoming more important. Multiple tools are available to provide these forms of security, but many businesses drastically underestimate the effort to implement and maintain them.

Mobile and cloud security (20%), risk assessment (12%), and identity management (11%) do not rank as being as helpful, and this again may indicate the difficulty associated with deciding which tools to invest in first.

Often, risk assessment is under-valued, as it can be viewed as boring or a distraction, despite areas such as identity management being where many problems actually arise.

Which information security tool would help your company the most today?

Pie chart showing a breakdown of information security tools.

Conclusions

Information security is one of the top risks facing every type of business. To have genuinely strong information security, the basic foundations need to be sound and a sequence of preparatory steps is worth taking before any data breaches can occur. Some important information security steps, such as staff vigilance, do not cost money and yet are invaluable.

Businesses that want to become more proactive with their information security should create an ’info-safe‘ culture for their staff by providing high-quality training and putting in place the human processes and systems necessary to keep information secure as a matter of course. Technologies can also help to prevent threats from compromising information security by responding to threats automatically and effectively when they do arise and notifying the appropriate staff.

In most instances, businesses will have to solve the problems that arise from data breaches within 24 hours. It is therefore important to have a thorough plan in place and to train staff, so everyone knows their role no matter the type of attack.

In many cases, businesses only discover how poorly prepared they are when they are under immense time and financial pressure. Clearly, it is better to think through the costs and consequences of data breaches before they happen, even when there are strong pressures to deal with more day-to-day concerns.

Final Recommendations

  1. Businesses need to be aware of and honest about vulnerabilities and proactively monitor and enhance their information security.
  2. Consider creating a program of continuous investment in information security and ensure a plan is in place to cope with unexpected data breaches.
  3. New cybersecurity tools and ’info-safe‘ cultures are necessary to protect information held by companies. Utilizing information security measures that are free is a minimum safeguard.
  4. Robust cyber risk insurance and a proactive crisis communications strategy help a business to cope in the event of a data breach.
  5. Effective cybersecurity involves adopting an enterprise risk management methodology that encompasses not only technology but also the equally important people and policy aspects of cybersecurity.

Appendix: Survey Demographics

The analysis we provide in this report has been derived from an international survey of 351 senior legal and technology professionals, from across a broad range of industries, with annual revenues ranging from $100 million to over $5 billion.

Approximately 60% of the respondents to this report’s survey come from the US, with 30% coming from the UK and 5% each from Canada and the Middle East. 

Please indicate the location of your workplace?

Map showing percentage of paticipants by location.

Approximately 15% of the survey’s respondents come from the financial services and insurance industries, with a further 14% coming from the telecommunications and IT community, 11% from legal firms and 11% from retail. Smaller but notable percentages of the respondents come from manufacturing (10%), energy, utilities and waste management (9%), healthcare and pharmaceuticals (9%), the public sector (7%), construction (6%), agriculture (5%), and the media and leisure industries (3%).

Please confirm the industry of your business.

Chart breaking down the industry of survey participants.

Respondents were asked a screening question about the size of their global annual revenues, and only asked further questions if the answer was in the $100 million to over $5 billion range.

Can you please indicate the global annual revenue for your organization?

Pie chart indicating industry size in dollar value of survey participants.

General Counsels make up over a third of our respondents (34%), but a variety of other legal and technology roles associated with the delivery of high-tech legal services have also been well sampled, as can be seen below.

Other legal professionals, such as Heads of Legal, Senior Counsel, and Staff Attorneys (9%) and e-Discovery Counsel, Lawyers, Associates, and Directors, play important roles in the uptake of the latest legal technologies, so we think it is important to consider the views of different levels of seniority and specialist roles likely to be both heavy users and recipients of new technologies.

On the technology side, professionals such as CTOs (16%) and the Heads of Machine Learning and Analytics (5%), directly or indirectly responsible for the delivery of legal services within business, also offer a valuable perspective.

The responses of these two important groups has made it possible to compare and contrast the views and experiences of those responsible for the practical adoption and delivery of LegalTech with those that are more focused on the legal requirements of end users.

Can you please confirm your job title that you hold at your organization?

Chart indicating titles of survey participants.

Overall, approximately 55% of our respondents consider themselves to have a direct role in the legal work their company undertakes, while 45% consider themselves to have an indirect role, functioning more as facilitators.

Are you directly or indirectly involved in legal work in your company?

Pie chart indicating involvement of survey participants in legal work at their respective companies.


Contact

Robert Olsen

Robert Olsen

Senior Managing Director
robert.olsen@ankura.com


Related Reading
  Artificial Intelligence and the General Counsel
 Personal Data Breaches: Reporting and the GDPR
Robot beetle Ten Recommendations For Leveraging AI in Management 
 Data Privacy Today: Is Your House in Order? 
Robot pointing to its head thinking. Regulatory Compliance in the Age of Artificial Intelligence