Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:03
If it were measured as a country, then
0:06
cybercrime would be the world's third
0:08
largest economy. The financial damage
0:10
it will inflict is on course to reach
0:12
$10.5 trillion annually by 2025.
0:17
The reputational damage to business is
0:19
immeasurable. The reality is that
0:21
for companies there's no such thing as zero
0:24
risk. So is it time that they
0:26
reframed their thinking around cybercrime?
0:33
I'm Georgie Frost and this is the So
0:35
What from BCG. For
0:37
the last 10, 15, 20 years
0:39
in the cyber community we've tried to
0:41
protect the house. We've put fences up,
0:43
we've put cameras on, we've put locks
0:46
on the windows. But guess what? The
0:48
hackers are getting in. So we have
0:50
to reframe our thinking. Let's understand what
0:52
our critical assets are, what our crown
0:54
jewels are and over protect those assets
0:56
relative to others. And what
0:58
are crown jewels? They're the ones that
1:00
are going to cause you the most
1:03
financial losses, reputational damage, regulatory sanction or
1:05
other impacts. Today I'm talking to Paul
1:07
O'Rourke, BCG's global cyber security
1:09
leader. The problem's actually getting
1:11
worse. So we're not actually
1:13
winning the battle. In many ways we're actually
1:15
losing the battle. When we actually think of
1:18
cybercrime, we think of individuals losing money, we
1:20
think of organisations being hacked, we think of
1:22
bigger tax on governments, and we think of
1:24
it as a financial impost. Absolutely
1:26
that's one of the aspects, but it's
1:28
not the only aspect. And I think
1:30
that's where organisations particularly and governments are
1:32
really focused today. Probably one of
1:34
the biggest ones is what does it do to a
1:36
company's reputation? What does it do to
1:38
its brand? Is it an existential threat
1:41
for that organisation? But
1:43
there's also other issues. There's regulatory challenges
1:45
where the regulator might actually challenge the
1:47
organisation, might actually find the organisation if
1:49
they have breaches. And we've seen these
1:51
numerous times globally. But there's another one
1:53
that's probably talked of the least and
1:55
that's societal impact. Think of electricity grids
1:57
being hacked and brought down. networks
2:00
being brought down, banking networks being brought
2:02
down and that's probably the biggest area
2:04
of government focus today and what we
2:06
call critical infrastructure. How to protect
2:09
those critical assets and it's much bigger than
2:11
what people think often. Critical
2:13
infrastructure is all those critical services as
2:15
a society that we use and consume
2:18
and all of those in some ways vulnerable
2:20
to cyber attack today and so it's very
2:22
important we focus on financial losses, it's also
2:24
very important we think of this as a
2:26
broader problem as well. You
2:28
speak to leaders across the world,
2:31
business leaders, government leaders,
2:33
people, general people and societies, do
2:36
we get the message, do we get how
2:38
serious this is? My instinct says no.
2:41
I speak to many government leaders, organizational
2:44
leaders around the world, I think everyone gets
2:46
the problem and if we look at it
2:48
at an organizational context nearly every organization will
2:50
say this is a top three cyber risk
2:53
for them, for major organizations. So I think
2:55
they get it, what they don't
2:57
get is so what do we
2:59
do about it? How do we stop
3:01
it? How do we mitigate it? How
3:03
do we balance cyber risk versus our
3:05
growth strategies and our expansions globally? So
3:07
it's in many ways it's a very
3:10
difficult problem. I
3:12
often liken cyber to art
3:15
and science so when we think of IT
3:17
we often think of it as an engineering
3:19
or a science. You diagnose a problem, you
3:21
put in a solution, you manage the solution
3:23
and in many ways you triage the problem.
3:26
Cyber is probably the unique one in this
3:28
aspect. You diagnose a problem, you put in
3:31
a solution, you manage the solution and another
3:33
attack pops up somewhere else. So it's
3:36
almost the wack of gopher if you know that
3:38
game where you're hitting one gopher, you hit it
3:40
down another one pops up and that's really the
3:43
whole mode of what it is and I think that's
3:45
really where I think that
3:47
the one word I often use with boards and
3:49
with executives around the world is fatigue. What
3:52
are they doing wrong? What are the weak
3:54
spots or is it just we
3:56
need to be realistic? This is a problem
3:59
that's probably... never going to be solved?
4:02
I in no way want to come across as
4:04
defeatist but I think it's a problem
4:06
that's here forever because of the very nature of what
4:08
it is. We have to think
4:10
of this in a few aspects. One is this
4:13
is organised crime. This is the
4:15
most successful organised crime element globally.
4:17
It's overtaken drugs as the most
4:19
nefarious criminal element globally. So from
4:22
that aspect and you know there's
4:24
very little legal recourse against attackers
4:26
in a lot of jurisdictions. So
4:28
the likelihood of getting caught and
4:30
convicted is much lower than
4:33
other criminal elements. So there's
4:35
that aspect. There is state-sponsored
4:38
cyber attacks between government to
4:40
government or government to organisations.
4:42
We have industrialised spying so
4:44
governments or organisations actually seeking
4:46
trade secrets and things like
4:48
that from other competitors globally.
4:51
These aspects are fundamental in the economies globally
4:53
and again without coming across as defeatist I
4:55
think we have to learn to live with
4:57
it. We have to learn to manage it
5:00
and we have to learn to think about
5:02
the problem differently. So as I
5:04
said at the start that do companies
5:06
need to reframe their thinking around cybercrime.
5:09
So you're suggesting they do. What does that
5:11
mean? What does that look like? Well
5:13
the very first thing and it's
5:15
fairly obvious and intuitive you can't
5:17
have a digital economy. You can't
5:19
have a digitally connected organisation or
5:21
government departments and have zero
5:23
cyber risk. There's a fundamental premise. If
5:26
it's connected to the internet it's hackable
5:28
and I think that's what we have to
5:30
accept. There's a premise called crown jewels and
5:33
let's draw an analogy around the house. For the
5:35
last 10, 15, 20 years
5:37
in the cyber community we've tried to
5:39
protect the house. We've put fences
5:42
up, we've put cameras on, we've put locks
5:44
on, on the windows but guess what?
5:46
The hackers are getting in and they're proven time and
5:48
time again they're getting in. So
5:50
if we're losing the battle in some ways against
5:52
stopping them getting in then we have to reframe
5:55
our thinking and so part of the reframe here
5:57
is let's understand what
5:59
our core is. assets are what
6:01
our crown jewels are and over
6:03
protect those assets relative to others. If
6:06
I can't stop them getting in I'm
6:08
going to make sure that my most important elements it
6:10
could be jewelry it could be documents whatever it is
6:12
is in a one room
6:14
it's over secured it's got safes it's
6:16
got cameras it's got other security elements
6:19
to make it increasingly harder for them
6:21
to get to those assets. And
6:23
what are crown jewels? They're the ones
6:25
that are going to cause you the
6:28
most financial losses, reputational damage, regulatory sanction
6:30
or other impacts. And so that's really
6:32
where we start to rethink of
6:35
cyber in a relative concept is we
6:37
can't stop everything let's stop the attacks
6:39
on the most vulnerable assets. How
6:42
is a leader an organization
6:44
do you decide what losses you are
6:46
prepared to accept because I imagine they
6:49
will suggest that everything is precious? There
6:52
are some elements and if we think about it from a bank
6:55
in the context customer financial data,
6:58
core transactional data, M&A
7:00
data, other sensitive data they're the
7:02
sort of elements that are crown
7:04
jewels. We can get it from
7:06
an individual aspect it could
7:09
be our personal information often it's photos
7:11
things like that. So it's a relativity
7:13
view we have to start to think
7:15
about if I was attacked if I
7:17
lost the information what's going to cause
7:19
me the most damage and that's really
7:21
what organizations do. The biggest one is
7:23
always personal financial data because
7:26
that's one of the biggest elements
7:28
and financial data. So that's where
7:31
organizations start protect those assets but
7:33
again Georgie very difficult to say something's
7:36
more important than others because
7:38
the biggest premise if you if you're approach it
7:40
from crown jewels is to say I accept
7:43
I will have losses for the year. I
7:45
accept I will not stop everything. I
7:47
will accept a certain amount of attacks and I will
7:50
accept a certain amount of losses. Now
7:52
working out what that volume is or that level is
7:55
is never an easy element. What
7:57
about the human the staffing,
8:00
the people play, I guess,
8:02
which is, and Anna, correct
8:04
me if I'm wrong, but are not
8:07
the majority of weak spots in cybercrime
8:09
related to human error? How do you
8:11
change that? Absolutely. I
8:13
think if we didn't have the people element
8:15
in cyber, we would largely fix the problem
8:17
by now, but obviously we can't take
8:19
the people element out of cyber. And
8:21
that's one of the biggest problems is
8:24
we've all been told for 20 plus
8:26
years, don't plug in, don't click, don't
8:28
open. But over 70%
8:31
of all global major attacks are
8:33
because people clicked, they plugged in, or they
8:35
opened an attachment. In many
8:37
ways, we all know what to do. If
8:40
I ask anyone, should you use the same
8:42
password on your 100 different systems that you
8:44
access? Everyone would say no. Should
8:47
you use more secure passwords? Yes. If
8:49
I then asked a different question and say, do
8:51
you follow that? Nearly everyone says
8:53
no, because it's just too hard.
8:56
The human element is by far
8:58
the biggest problem because that's
9:00
where the attackers exploit. If
9:03
I put my black hat on for a
9:05
moment, if I want to be an attacker, attacking
9:07
systems is more challenging. Systems are
9:09
getting much better. The IT environments
9:12
are getting much stronger. I'll
9:14
just go after the weakest link. And that is the premise
9:16
in cyber. Yet you have to protect
9:18
the weakest link. I'll just go after the people element.
9:21
I'll send you an email, Georgie, with
9:23
an attachment. You won't know it's in the attachment. You'll
9:26
open the attachment. That's the virus or
9:28
that's the malicious element. It's on your
9:30
computer. I've then got control. I can
9:32
do other elements and other attacks. That's
9:35
the biggest issue we're facing today is as
9:37
individuals, we all get the emails, we'll get
9:39
the texts, we'll get the phone calls. How
9:41
do we trust all those elements? And a
9:43
lot of people don't. And that's one
9:45
of the biggest elements of the cyber breaches. Is
9:48
it not getting so much
9:51
harder though? I'm thinking
9:53
in my head about a case where
9:56
a bank worker was
9:58
persuaded to travel. many
10:01
millions of pounds, thought it was from the
10:03
CEO, went on a Zoom call with lots
10:05
of staff that he knew all
10:08
of them were deepfakes except
10:10
himself with things like J&AI
10:13
and advanced technology this
10:15
is gonna get even tougher isn't it
10:17
with the people element particularly. We're
10:19
entering a new realm of attacks
10:22
we have the whole area of societal attacks on
10:25
the critical infrastructure elements I talked on earlier
10:27
but we have the new element which is
10:29
touched on now which is around the emerging
10:31
technologies AI and deepfake
10:33
and there's an interesting premise in
10:35
cyber is when new technologies
10:38
come out the attackers tend to
10:40
adopt it and use it and
10:42
exploit it much quicker than the
10:44
community protects those assets and
10:46
so the attackers are really good
10:48
at adopting AI and
10:50
adopting deepfakes crypto
10:53
attacks and other things like that because
10:56
again going back to the same premise is
10:58
the art and science is we
11:01
don't know what attacks are coming in the
11:03
future we know the new technologies are there
11:05
AI and deepfakes and other ones are both
11:07
there and emerging is we
11:09
have to think through how they'll
11:11
be used in what elements in what
11:13
environments against what organizations the
11:15
attackers are much faster at that so I
11:18
think we're going to enter a realm for
11:20
the next two or three years we will
11:22
see a rapidly escalating attack environment and losses
11:24
in the market off the back of some
11:26
of these new technologies how do
11:28
you prepare them as a business for that building
11:30
a strategy for what you know but also for
11:32
what you don't know will be coming around the
11:35
corner well you can't protect what you
11:37
don't know or you certainly can't protect what you're
11:39
not focused on and I think that
11:41
that's one of the key elements for organizations is you
11:44
really have to be aware of where at today
11:46
but what is the next landscape
11:49
looking like in the next three to five
11:51
years what are those potential elements if
11:53
we just take AI as an
11:55
example organizations globally are at pace
11:57
looking to deploy AI looking
12:00
at the application of AI in almost
12:02
all areas of their organization. And
12:04
I'm in no way saying that they shouldn't
12:07
do that. I think it's a critical element.
12:09
It's an enormously impactful technology but
12:11
you need to be aware of how it can be
12:13
exploited as well. We have to balance
12:15
opportunity, we have to balance growth with the
12:18
element of risk. And some
12:20
of these risks and we touched on
12:23
them earlier, reputational existential risk in some
12:25
aspects, financial losses,
12:27
regulatory sanctions, brand impact.
12:30
As we adopt new technologies, as we enter
12:32
new markets, as organizations, as governments again offering
12:35
new services, we have to think of the
12:37
use of these technologies both for positive but
12:39
how they can be exploited as well and
12:41
just making sure that we're aware and we're
12:44
doing everything we can. As you
12:46
keep saying you don't want to be too negative, let's then
12:49
look at perhaps the positive side of this new technology
12:51
and where you think it could actually
12:53
play a positive role. Well I
12:55
think one of the key aspects and it's a
12:57
great question because one of the key aspects of
12:59
AI is and I've touched on before is we're
13:02
looking for an unknown unknown. We don't know what
13:04
we're looking for, we don't know where it is
13:06
etc. AI is
13:09
a really enormously impactful technology to
13:11
actually do that for us. So
13:14
AI is not only a threat and
13:16
then attack in some areas but it's
13:18
also a hugely impactful cyber technology that
13:20
can be used by organizations to predict,
13:23
to detect and in many ways to stop
13:25
the attacks before they happen. And so this
13:28
is where I think one of the most
13:30
exciting elements of cyber at the moment is
13:32
AI in cyber and
13:34
our ability to actually help predict,
13:37
detect, predict and stop those attacks.
13:40
Do you have any examples of
13:43
good practice when it comes to
13:45
building a strategy
13:47
or responding to threats that
13:49
you see using modern technology?
13:52
Yeah I think one of the key aspects
13:55
and I'll start from the top is tone.
13:57
from the top is when really good.
13:59
Example is where the board and the executive.
14:02
A. Fully itunes to the technologies Fully
14:04
made it. I'm not saying that he
14:06
to be soccer experts on the saying,
14:08
aware of what they are and and
14:11
supportive and have a really strong we
14:13
balance viewers of opportunity a risk and
14:15
that actually permeates through the organization and
14:18
seen organizations in a really impact for
14:20
why understand. How. To use
14:22
I I had he is if I
14:24
sit for my business I but also
14:26
from side to side and way that
14:29
sexy driven significant cost reduction the organization.
14:31
But. Also significant. Impacts.
14:33
In terms of cyber. Quality. Of
14:36
service and just the ability to
14:38
detect attacks. I don't
14:40
want keep who supply chain seeds for. Cybercrime?
14:42
What rock and companies play here?
14:45
As. Writing for this question cause this is
14:47
the biggest problem in cyber and because
14:49
if we think about cyber everything on
14:51
spoken about his from a government view
14:53
from an individual view from an organization
14:55
of you is how can I manage
14:57
what I've. How can I better
14:59
protect and and putting protections and
15:01
to Texans et cetera go into
15:03
these other really complex issue called
15:05
supply chain where I have all
15:07
these organizations connected to my supply
15:09
chain. And over fifty percent
15:12
of all supply at the tax globally
15:14
come through the supply chain. As
15:16
an organization as an example, I
15:18
can't manage this platoon. I.
15:21
Can't put technology the supply chain
15:23
account educate the people are gonna
15:25
trust. Him. As a testimonial A
15:27
Than in many ways with your we've
15:29
been losing the battle I philosophies. We
15:31
primarily posted it to Elements of a
15:33
Touch on the people on Before and
15:35
it's also the supply chain element and
15:37
into To and it's also people in
15:39
the supply chain so it compounds. The
15:41
supply chain is probably the biggest challenge
15:43
is because. If. I can't many
15:45
to supply chain if I can putting technology if I can't
15:47
tell them what to do, if I can even know what
15:50
they doing. How. Do I know when those attacks
15:52
are going to come through? With. Swear
15:54
we getting to the softer area cyber
15:56
around governance or and reporting your own
15:58
communities of interest. Working together much more
16:01
that they're awesome emerging capabilities and technologies,
16:03
but that they're not perfect in many.
16:05
Air is inside. If Ossie characterized the
16:07
next two to three years in terms
16:09
of where the tax will come from,
16:12
I. Think this will be the biggest
16:14
risk for organizations and organizations a to
16:16
get much better at actually protecting this.
16:18
When I speak to her exactly speak
16:21
to government's. Many of them put
16:23
their hands up and say this is the one
16:25
area we just don't know what to do the
16:27
most. So. You advise them
16:30
for again From a premise is
16:32
let's go back to the crown
16:34
jewels. Few if you have the
16:36
most vulnerable us, it's the most
16:38
valuable assets the organization and you're
16:40
allowing the third parties to connect
16:42
to those assets. You. Are
16:44
at heightened risk relative to if you
16:46
actually better protect those assets. Set might
16:48
be the any to putting certain levels
16:50
of or layers of security where people
16:53
coming in from third parties can access
16:55
certain areas by can access other areas
16:57
of the network at such and so
16:59
we sought to get a t viewers
17:01
have access. There is another emerging technology
17:03
that I think a lot of organizations
17:05
very focused on. Culture I trust is
17:08
is really where we start to think
17:10
of how we sought to refrain. Who
17:12
has access to our whole. Environments.
17:15
And. It is a rethink of that, the
17:17
whole view of of risk and hello view
17:19
of how we access and what level of
17:21
entitlement so access we get to individuals and
17:23
to third movies. Again, a really exciting technology
17:26
and a guy is something that will probably
17:28
be front and center for the next two
17:30
to three is. I.
17:32
Imagine as a result of this
17:34
we will get. Greater.
17:37
Regulation coming through or new regulation. That's
17:39
another thing that companies need to be
17:42
prepared for. His house have to deal
17:44
with that. I suppose he has a
17:46
regulation has child the attack vectors. but
17:48
the regulators and and governments have got
17:51
very smart now. And. artist before
17:53
on a view of tone from the
17:55
top which is making sure the executives
17:57
and bought a very behind cyber that's
17:59
where the regulation is going to. It's
18:01
not today organizational level, it's
18:03
at an executive and board director level
18:05
to actually make directors and executives liable
18:08
in the event of a breach. We
18:10
have to make sure that the organization at
18:13
the top, tone from the top, gets the
18:15
right support, gives the right investment, gives the
18:17
right capability and support to the organization
18:20
to protect the assets and if they don't, they'll
18:22
face regulatory sanction, they'll face director
18:25
liability in some cases and some
18:27
very draconian sanctions, not just financial.
18:30
Finally get your crystal ball out
18:32
for me, what does the future in the
18:34
space look like? Again I'm in
18:36
no way want to be defeated but I
18:38
think the next two to three years is
18:40
going to be really tough in cyber and
18:42
I'm very hopeful that AI will provide the
18:45
next view of protection for organizations but
18:47
having been in cyber for 25 years, I
18:50
have seen a lot of new technologies come
18:52
that have the promise of being the panacea
18:54
to the attacks and in some ways they
18:56
helped but then new attacks arose
18:58
and so I think in many ways we have
19:01
to learn to live with it but the most
19:03
positive element I think we can I look at
19:05
here is the adoption of technology
19:08
and people's recognition that we have to do
19:10
something differently because it's got to stage where
19:12
everyone is aware that we have to do
19:14
something differently. So in a positive way
19:16
I hope and in
19:18
many ways believe that people
19:20
will start to take this more seriously. But
19:23
two to three years Paul so if you don't
19:26
have a strategy get your skates on. Absolutely get
19:28
your skates on, absolutely accept that it's a risk,
19:30
it's a heightened risk for the next two to
19:32
three years at least and the impact can be
19:34
significant if you get it wrong and
19:36
maybe just one other message, accept that it
19:39
is a major issue but also
19:41
accept it's inevitable that it will happen and to
19:43
be prepared what are we going to do when
19:45
it happens and more than
19:47
probably planning absolutely put into place, practice
19:49
it and many organisations do this and
19:51
they do a very good job of it
19:54
of scenario planning actually
19:56
going through real-life scenarios How
19:59
am I going to do? How am I going to
20:01
respond, What am I gonna do? How do
20:03
I talk to my customers? Do I pay
20:05
the ransom? All a sort of issues is
20:08
and I'll often cited Boards is a cyberattack
20:10
is not the time to learn. All.
20:12
These elements you need muscle memory. You
20:14
need to know what to do. who
20:16
doesn't any what what frequency and he
20:18
what level well before the attack happens
20:20
when he does pretty in through the
20:23
muscle memory. next. Cool!
20:26
Thank you so much and eve listening.
20:28
We have to know your thoughts the
20:30
and contact leave a message at the
20:32
same what at bcg.com or cast when
20:35
I am I think wacky how some
20:37
people.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More