Why security needs to be part of business strategy

There are very few business strategies where the actual objective is that nothing happens. How do you measure success? – nothing has occurred. How do you get people’s attention when there seems to be more immediate challenges such as hitting sales targets.

Some years ago, I was discussing this dilemma with the Head of Counter Terrorism in the Metropolitan Police. The challenge was how do you communicate that you are doing a good job when nobody knows what you are doing.

How do you get people to be concerned about security if they don’t know even know that there is a threat or where that threat was coming from? 

Historically in the retail automotive industry that attitude seemed to persist. There was a begrudging acceptance for the need for GDPR compliance with organisations being more careful with what is left around or displayed on computer screens. 

The situation has changed dramatically. Security is now an important priority for companies in our sector.

LSH Auto UK, Holdcroft Groups and Pendragon have all suffered cyber-attacks and that has been followed by the recent data breach at Arnold Clark. 

Why is this happening to car retailers? The fundamental reason is that the motor industry holds so much more personal data by comparison to other industries. When buying a car or entering into a finance agreement there are issues such as identity verification as well as the usual bank account details, employment status, income, home address, telephone number and email details. For a hacker who wants to hold a company to ransom it presents a very attractive option as the quantity and quality of the data makes it a very valuable commodity.

Many companies see this only as an IT issue. They delegate the responsibility to cyber security specialists either inside or outside the organisation. The problem with this approach is that it fails to view the problem holistically. The human element comes into play either through carelessness or deliberate intent within the company. I have argued that especially in the world of connected cars one of the weak points in the security system is when the car is at a dealership and is being serviced. It’s a bit like handing your laptop over with all the passwords to a stranger and hoping that it comes back without any data being downloaded. I have been arguing for some time that we need to do more detailed background checks and include security training as being a fundamental part of any induction programme.

Security is a bit like safeguarding in Schools. If you are fortunate enough to become a Governor of a local school one of the mandatory courses, you have to do is safeguarding and the message is that safeguarding children is a whole school activity. It cannot be delegated to a ‘Safeguarding Lead’ everyone is involved on keeping the children safe. Security is similar in business it is the responsibility of the Board and down through the whole organisation. Everyone has a responsibility to safeguard the organisation by keeping security as a priority and success will be when nothing untoward happens.