0:03

If it were measured as a country, then

0:06

cybercrime would be the world's third

0:08

largest economy. The financial damage

0:10

it will inflict is on course to reach

0:12

$10.5 trillion annually by 2025.

0:17

The reputational damage to business is

0:19

immeasurable. The reality is that

0:21

for companies there's no such thing as zero

0:24

risk. So is it time that they

0:26

reframed their thinking around cybercrime?

0:33

I'm Georgie Frost and this is the So

0:35

What from BCG. For

0:37

the last 10, 15, 20 years

0:39

in the cyber community we've tried to

0:41

protect the house. We've put fences up,

0:43

we've put cameras on, we've put locks

0:46

on the windows. But guess what? The

0:48

hackers are getting in. So we have

0:50

to reframe our thinking. Let's understand what

0:52

our critical assets are, what our crown

0:54

jewels are and over protect those assets

0:56

relative to others. And what

0:58

are crown jewels? They're the ones that

1:00

are going to cause you the most

1:03

financial losses, reputational damage, regulatory sanction or

1:05

other impacts. Today I'm talking to Paul

1:07

O'Rourke, BCG's global cyber security

1:09

leader. The problem's actually getting

1:11

worse. So we're not actually

1:13

winning the battle. In many ways we're actually

1:15

losing the battle. When we actually think of

1:18

cybercrime, we think of individuals losing money, we

1:20

think of organisations being hacked, we think of

1:22

bigger tax on governments, and we think of

1:24

it as a financial impost. Absolutely

1:26

that's one of the aspects, but it's

1:28

not the only aspect. And I think

1:30

that's where organisations particularly and governments are

1:32

really focused today. Probably one of

1:34

the biggest ones is what does it do to a

1:36

company's reputation? What does it do to

1:38

its brand? Is it an existential threat

1:41

for that organisation? But

1:43

there's also other issues. There's regulatory challenges

1:45

where the regulator might actually challenge the

1:47

organisation, might actually find the organisation if

1:49

they have breaches. And we've seen these

1:51

numerous times globally. But there's another one

1:53

that's probably talked of the least and

1:55

that's societal impact. Think of electricity grids

1:57

being hacked and brought down. networks

2:00

being brought down, banking networks being brought

2:02

down and that's probably the biggest area

2:04

of government focus today and what we

2:06

call critical infrastructure. How to protect

2:09

those critical assets and it's much bigger than

2:11

what people think often. Critical

2:13

infrastructure is all those critical services as

2:15

a society that we use and consume

2:18

and all of those in some ways vulnerable

2:20

to cyber attack today and so it's very

2:22

important we focus on financial losses, it's also

2:24

very important we think of this as a

2:26

broader problem as well. You

2:28

speak to leaders across the world,

2:31

business leaders, government leaders,

2:33

people, general people and societies, do

2:36

we get the message, do we get how

2:38

serious this is? My instinct says no.

2:41

I speak to many government leaders, organizational

2:44

leaders around the world, I think everyone gets

2:46

the problem and if we look at it

2:48

at an organizational context nearly every organization will

2:50

say this is a top three cyber risk

2:53

for them, for major organizations. So I think

2:55

they get it, what they don't

2:57

get is so what do we

2:59

do about it? How do we stop

3:01

it? How do we mitigate it? How

3:03

do we balance cyber risk versus our

3:05

growth strategies and our expansions globally? So

3:07

it's in many ways it's a very

3:10

difficult problem. I

3:12

often liken cyber to art

3:15

and science so when we think of IT

3:17

we often think of it as an engineering

3:19

or a science. You diagnose a problem, you

3:21

put in a solution, you manage the solution

3:23

and in many ways you triage the problem.

3:26

Cyber is probably the unique one in this

3:28

aspect. You diagnose a problem, you put in

3:31

a solution, you manage the solution and another

3:33

attack pops up somewhere else. So it's

3:36

almost the wack of gopher if you know that

3:38

game where you're hitting one gopher, you hit it

3:40

down another one pops up and that's really the

3:43

whole mode of what it is and I think that's

3:45

really where I think that

3:47

the one word I often use with boards and

3:49

with executives around the world is fatigue. What

3:52

are they doing wrong? What are the weak

3:54

spots or is it just we

3:56

need to be realistic? This is a problem

3:59

that's probably... never going to be solved?

4:02

I in no way want to come across as

4:04

defeatist but I think it's a problem

4:06

that's here forever because of the very nature of what

4:08

it is. We have to think

4:10

of this in a few aspects. One is this

4:13

is organised crime. This is the

4:15

most successful organised crime element globally.

4:17

It's overtaken drugs as the most

4:19

nefarious criminal element globally. So from

4:22

that aspect and you know there's

4:24

very little legal recourse against attackers

4:26

in a lot of jurisdictions. So

4:28

the likelihood of getting caught and

4:30

convicted is much lower than

4:33

other criminal elements. So there's

4:35

that aspect. There is state-sponsored

4:38

cyber attacks between government to

4:40

government or government to organisations.

4:42

We have industrialised spying so

4:44

governments or organisations actually seeking

4:46

trade secrets and things like

4:48

that from other competitors globally.

4:51

These aspects are fundamental in the economies globally

4:53

and again without coming across as defeatist I

4:55

think we have to learn to live with

4:57

it. We have to learn to manage it

5:00

and we have to learn to think about

5:02

the problem differently. So as I

5:04

said at the start that do companies

5:06

need to reframe their thinking around cybercrime.

5:09

So you're suggesting they do. What does that

5:11

mean? What does that look like? Well

5:13

the very first thing and it's

5:15

fairly obvious and intuitive you can't

5:17

have a digital economy. You can't

5:19

have a digitally connected organisation or

5:21

government departments and have zero

5:23

cyber risk. There's a fundamental premise. If

5:26

it's connected to the internet it's hackable

5:28

and I think that's what we have to

5:30

accept. There's a premise called crown jewels and

5:33

let's draw an analogy around the house. For the

5:35

last 10, 15, 20 years

5:37

in the cyber community we've tried to

5:39

protect the house. We've put fences

5:42

up, we've put cameras on, we've put locks

5:44

on, on the windows but guess what?

5:46

The hackers are getting in and they're proven time and

5:48

time again they're getting in. So

5:50

if we're losing the battle in some ways against

5:52

stopping them getting in then we have to reframe

5:55

our thinking and so part of the reframe here

5:57

is let's understand what

5:59

our core is. assets are what

6:01

our crown jewels are and over

6:03

protect those assets relative to others. If

6:06

I can't stop them getting in I'm

6:08

going to make sure that my most important elements it

6:10

could be jewelry it could be documents whatever it is

6:12

is in a one room

6:14

it's over secured it's got safes it's

6:16

got cameras it's got other security elements

6:19

to make it increasingly harder for them

6:21

to get to those assets. And

6:23

what are crown jewels? They're the ones

6:25

that are going to cause you the

6:28

most financial losses, reputational damage, regulatory sanction

6:30

or other impacts. And so that's really

6:32

where we start to rethink of

6:35

cyber in a relative concept is we

6:37

can't stop everything let's stop the attacks

6:39

on the most vulnerable assets. How

6:42

is a leader an organization

6:44

do you decide what losses you are

6:46

prepared to accept because I imagine they

6:49

will suggest that everything is precious? There

6:52

are some elements and if we think about it from a bank

6:55

in the context customer financial data,

6:58

core transactional data, M&A

7:00

data, other sensitive data they're the

7:02

sort of elements that are crown

7:04

jewels. We can get it from

7:06

an individual aspect it could

7:09

be our personal information often it's photos

7:11

things like that. So it's a relativity

7:13

view we have to start to think

7:15

about if I was attacked if I

7:17

lost the information what's going to cause

7:19

me the most damage and that's really

7:21

what organizations do. The biggest one is

7:23

always personal financial data because

7:26

that's one of the biggest elements

7:28

and financial data. So that's where

7:31

organizations start protect those assets but

7:33

again Georgie very difficult to say something's

7:36

more important than others because

7:38

the biggest premise if you if you're approach it

7:40

from crown jewels is to say I accept

7:43

I will have losses for the year. I

7:45

accept I will not stop everything. I

7:47

will accept a certain amount of attacks and I will

7:50

accept a certain amount of losses. Now

7:52

working out what that volume is or that level is

7:55

is never an easy element. What

7:57

about the human the staffing,

8:00

the people play, I guess,

8:02

which is, and Anna, correct

8:04

me if I'm wrong, but are not

8:07

the majority of weak spots in cybercrime

8:09

related to human error? How do you

8:11

change that? Absolutely. I

8:13

think if we didn't have the people element

8:15

in cyber, we would largely fix the problem

8:17

by now, but obviously we can't take

8:19

the people element out of cyber. And

8:21

that's one of the biggest problems is

8:24

we've all been told for 20 plus

8:26

years, don't plug in, don't click, don't

8:28

open. But over 70%

8:31

of all global major attacks are

8:33

because people clicked, they plugged in, or they

8:35

opened an attachment. In many

8:37

ways, we all know what to do. If

8:40

I ask anyone, should you use the same

8:42

password on your 100 different systems that you

8:44

access? Everyone would say no. Should

8:47

you use more secure passwords? Yes. If

8:49

I then asked a different question and say, do

8:51

you follow that? Nearly everyone says

8:53

no, because it's just too hard.

8:56

The human element is by far

8:58

the biggest problem because that's

9:00

where the attackers exploit. If

9:03

I put my black hat on for a

9:05

moment, if I want to be an attacker, attacking

9:07

systems is more challenging. Systems are

9:09

getting much better. The IT environments

9:12

are getting much stronger. I'll

9:14

just go after the weakest link. And that is the premise

9:16

in cyber. Yet you have to protect

9:18

the weakest link. I'll just go after the people element.

9:21

I'll send you an email, Georgie, with

9:23

an attachment. You won't know it's in the attachment. You'll

9:26

open the attachment. That's the virus or

9:28

that's the malicious element. It's on your

9:30

computer. I've then got control. I can

9:32

do other elements and other attacks. That's

9:35

the biggest issue we're facing today is as

9:37

individuals, we all get the emails, we'll get

9:39

the texts, we'll get the phone calls. How

9:41

do we trust all those elements? And a

9:43

lot of people don't. And that's one

9:45

of the biggest elements of the cyber breaches. Is

9:48

it not getting so much

9:51

harder though? I'm thinking

9:53

in my head about a case where

9:56

a bank worker was

9:58

persuaded to travel. many

10:01

millions of pounds, thought it was from the

10:03

CEO, went on a Zoom call with lots

10:05

of staff that he knew all

10:08

of them were deepfakes except

10:10

himself with things like J&AI

10:13

and advanced technology this

10:15

is gonna get even tougher isn't it

10:17

with the people element particularly. We're

10:19

entering a new realm of attacks

10:22

we have the whole area of societal attacks on

10:25

the critical infrastructure elements I talked on earlier

10:27

but we have the new element which is

10:29

touched on now which is around the emerging

10:31

technologies AI and deepfake

10:33

and there's an interesting premise in

10:35

cyber is when new technologies

10:38

come out the attackers tend to

10:40

adopt it and use it and

10:42

exploit it much quicker than the

10:44

community protects those assets and

10:46

so the attackers are really good

10:48

at adopting AI and

10:50

adopting deepfakes crypto

10:53

attacks and other things like that because

10:56

again going back to the same premise is

10:58

the art and science is we

11:01

don't know what attacks are coming in the

11:03

future we know the new technologies are there

11:05

AI and deepfakes and other ones are both

11:07

there and emerging is we

11:09

have to think through how they'll

11:11

be used in what elements in what

11:13

environments against what organizations the

11:15

attackers are much faster at that so I

11:18

think we're going to enter a realm for

11:20

the next two or three years we will

11:22

see a rapidly escalating attack environment and losses

11:24

in the market off the back of some

11:26

of these new technologies how do

11:28

you prepare them as a business for that building

11:30

a strategy for what you know but also for

11:32

what you don't know will be coming around the

11:35

corner well you can't protect what you

11:37

don't know or you certainly can't protect what you're

11:39

not focused on and I think that

11:41

that's one of the key elements for organizations is you

11:44

really have to be aware of where at today

11:46

but what is the next landscape

11:49

looking like in the next three to five

11:51

years what are those potential elements if

11:53

we just take AI as an

11:55

example organizations globally are at pace

11:57

looking to deploy AI looking

12:00

at the application of AI in almost

12:02

all areas of their organization. And

12:04

I'm in no way saying that they shouldn't

12:07

do that. I think it's a critical element.

12:09

It's an enormously impactful technology but

12:11

you need to be aware of how it can be

12:13

exploited as well. We have to balance

12:15

opportunity, we have to balance growth with the

12:18

element of risk. And some

12:20

of these risks and we touched on

12:23

them earlier, reputational existential risk in some

12:25

aspects, financial losses,

12:27

regulatory sanctions, brand impact.

12:30

As we adopt new technologies, as we enter

12:32

new markets, as organizations, as governments again offering

12:35

new services, we have to think of the

12:37

use of these technologies both for positive but

12:39

how they can be exploited as well and

12:41

just making sure that we're aware and we're

12:44

doing everything we can. As you

12:46

keep saying you don't want to be too negative, let's then

12:49

look at perhaps the positive side of this new technology

12:51

and where you think it could actually

12:53

play a positive role. Well I

12:55

think one of the key aspects and it's a

12:57

great question because one of the key aspects of

12:59

AI is and I've touched on before is we're

13:02

looking for an unknown unknown. We don't know what

13:04

we're looking for, we don't know where it is

13:06

etc. AI is

13:09

a really enormously impactful technology to

13:11

actually do that for us. So

13:14

AI is not only a threat and

13:16

then attack in some areas but it's

13:18

also a hugely impactful cyber technology that

13:20

can be used by organizations to predict,

13:23

to detect and in many ways to stop

13:25

the attacks before they happen. And so this

13:28

is where I think one of the most

13:30

exciting elements of cyber at the moment is

13:32

AI in cyber and

13:34

our ability to actually help predict,

13:37

detect, predict and stop those attacks.

13:40

Do you have any examples of

13:43

good practice when it comes to

13:45

building a strategy

13:47

or responding to threats that

13:49

you see using modern technology?

13:52

Yeah I think one of the key aspects

13:55

and I'll start from the top is tone.

13:57

from the top is when really good.

13:59

Example is where the board and the executive.

14:02

A. Fully itunes to the technologies Fully

14:04

made it. I'm not saying that he

14:06

to be soccer experts on the saying,

14:08

aware of what they are and and

14:11

supportive and have a really strong we

14:13

balance viewers of opportunity a risk and

14:15

that actually permeates through the organization and

14:18

seen organizations in a really impact for

14:20

why understand. How. To use

14:22

I I had he is if I

14:24

sit for my business I but also

14:26

from side to side and way that

14:29

sexy driven significant cost reduction the organization.

14:31

But. Also significant. Impacts.

14:33

In terms of cyber. Quality. Of

14:36

service and just the ability to

14:38

detect attacks. I don't

14:40

want keep who supply chain seeds for. Cybercrime?

14:42

What rock and companies play here?

14:45

As. Writing for this question cause this is

14:47

the biggest problem in cyber and because

14:49

if we think about cyber everything on

14:51

spoken about his from a government view

14:53

from an individual view from an organization

14:55

of you is how can I manage

14:57

what I've. How can I better

14:59

protect and and putting protections and

15:01

to Texans et cetera go into

15:03

these other really complex issue called

15:05

supply chain where I have all

15:07

these organizations connected to my supply

15:09

chain. And over fifty percent

15:12

of all supply at the tax globally

15:14

come through the supply chain. As

15:16

an organization as an example, I

15:18

can't manage this platoon. I.

15:21

Can't put technology the supply chain

15:23

account educate the people are gonna

15:25

trust. Him. As a testimonial A

15:27

Than in many ways with your we've

15:29

been losing the battle I philosophies. We

15:31

primarily posted it to Elements of a

15:33

Touch on the people on Before and

15:35

it's also the supply chain element and

15:37

into To and it's also people in

15:39

the supply chain so it compounds. The

15:41

supply chain is probably the biggest challenge

15:43

is because. If. I can't many

15:45

to supply chain if I can putting technology if I can't

15:47

tell them what to do, if I can even know what

15:50

they doing. How. Do I know when those attacks

15:52

are going to come through? With. Swear

15:54

we getting to the softer area cyber

15:56

around governance or and reporting your own

15:58

communities of interest. Working together much more

16:01

that they're awesome emerging capabilities and technologies,

16:03

but that they're not perfect in many.

16:05

Air is inside. If Ossie characterized the

16:07

next two to three years in terms

16:09

of where the tax will come from,

16:12

I. Think this will be the biggest

16:14

risk for organizations and organizations a to

16:16

get much better at actually protecting this.

16:18

When I speak to her exactly speak

16:21

to government's. Many of them put

16:23

their hands up and say this is the one

16:25

area we just don't know what to do the

16:27

most. So. You advise them

16:30

for again From a premise is

16:32

let's go back to the crown

16:34

jewels. Few if you have the

16:36

most vulnerable us, it's the most

16:38

valuable assets the organization and you're

16:40

allowing the third parties to connect

16:42

to those assets. You. Are

16:44

at heightened risk relative to if you

16:46

actually better protect those assets. Set might

16:48

be the any to putting certain levels

16:50

of or layers of security where people

16:53

coming in from third parties can access

16:55

certain areas by can access other areas

16:57

of the network at such and so

16:59

we sought to get a t viewers

17:01

have access. There is another emerging technology

17:03

that I think a lot of organizations

17:05

very focused on. Culture I trust is

17:08

is really where we start to think

17:10

of how we sought to refrain. Who

17:12

has access to our whole. Environments.

17:15

And. It is a rethink of that, the

17:17

whole view of of risk and hello view

17:19

of how we access and what level of

17:21

entitlement so access we get to individuals and

17:23

to third movies. Again, a really exciting technology

17:26

and a guy is something that will probably

17:28

be front and center for the next two

17:30

to three is. I.

17:32

Imagine as a result of this

17:34

we will get. Greater.

17:37

Regulation coming through or new regulation. That's

17:39

another thing that companies need to be

17:42

prepared for. His house have to deal

17:44

with that. I suppose he has a

17:46

regulation has child the attack vectors. but

17:48

the regulators and and governments have got

17:51

very smart now. And. artist before

17:53

on a view of tone from the

17:55

top which is making sure the executives

17:57

and bought a very behind cyber that's

17:59

where the regulation is going to. It's

18:01

not today organizational level, it's

18:03

at an executive and board director level

18:05

to actually make directors and executives liable

18:08

in the event of a breach. We

18:10

have to make sure that the organization at

18:13

the top, tone from the top, gets the

18:15

right support, gives the right investment, gives the

18:17

right capability and support to the organization

18:20

to protect the assets and if they don't, they'll

18:22

face regulatory sanction, they'll face director

18:25

liability in some cases and some

18:27

very draconian sanctions, not just financial.

18:30

Finally get your crystal ball out

18:32

for me, what does the future in the

18:34

space look like? Again I'm in

18:36

no way want to be defeated but I

18:38

think the next two to three years is

18:40

going to be really tough in cyber and

18:42

I'm very hopeful that AI will provide the

18:45

next view of protection for organizations but

18:47

having been in cyber for 25 years, I

18:50

have seen a lot of new technologies come

18:52

that have the promise of being the panacea

18:54

to the attacks and in some ways they

18:56

helped but then new attacks arose

18:58

and so I think in many ways we have

19:01

to learn to live with it but the most

19:03

positive element I think we can I look at

19:05

here is the adoption of technology

19:08

and people's recognition that we have to do

19:10

something differently because it's got to stage where

19:12

everyone is aware that we have to do

19:14

something differently. So in a positive way

19:16

I hope and in

19:18

many ways believe that people

19:20

will start to take this more seriously. But

19:23

two to three years Paul so if you don't

19:26

have a strategy get your skates on. Absolutely get

19:28

your skates on, absolutely accept that it's a risk,

19:30

it's a heightened risk for the next two to

19:32

three years at least and the impact can be

19:34

significant if you get it wrong and

19:36

maybe just one other message, accept that it

19:39

is a major issue but also

19:41

accept it's inevitable that it will happen and to

19:43

be prepared what are we going to do when

19:45

it happens and more than

19:47

probably planning absolutely put into place, practice

19:49

it and many organisations do this and

19:51

they do a very good job of it

19:54

of scenario planning actually

19:56

going through real-life scenarios How

19:59

am I going to do? How am I going to

20:01

respond, What am I gonna do? How do

20:03

I talk to my customers? Do I pay

20:05

the ransom? All a sort of issues is

20:08

and I'll often cited Boards is a cyberattack

20:10

is not the time to learn. All.

20:12

These elements you need muscle memory. You

20:14

need to know what to do. who

20:16

doesn't any what what frequency and he

20:18

what level well before the attack happens

20:20

when he does pretty in through the

20:23

muscle memory. next. Cool!

20:26

Thank you so much and eve listening.

20:28

We have to know your thoughts the

20:30

and contact leave a message at the

20:32

same what at bcg.com or cast when

20:35

I am I think wacky how some

20:37

people.