When TalkTalk, the British telecoms giant, was targeted by hackers recently it cost the business £60 million and the loss of 100,000 customers.
Dido Harding, TalkTalk’s chief executive, resigned, although she claimed it was for other reasons.
The thieves responsible have since been apprehended by the authorities. But the event still serves as a cautionary tale.
It is just such an occurrence that business schools are trying to teach their students to cope with — or avoid entirely.
“This is stuff you simply need to know,” says David Upton, professor of operations management at University of Oxford: Saïd Business School.
He has created an executive education program on cyber security for board members and teaches a mandatory course on the full-time MBA.
We asked the professor if other business schools should be doing the same. Here is what he told us:
Q. How concerned is global business about the threat of cyberattacks?
In general, businesses are becoming increasingly concerned, although there’s variation across industries. Some are clearly leading, like finance. But even some of those that originally thought they weren’t under threat, like retail, realize that it’s a big deal. Generally, companies think that cyber crime is a big, scary thing.
Q. One in four UK companies are hit by cyber-attacks, says PwC. Are they treating cybercrime seriously enough?
This may be a biased point of view but, no, I don’t think they are. I think the way you assess whether people take it seriously is by looking at the action they take to deal with or prevent an attack. People often say cybercrime is a big deal, but there’s more effort on the technical side than the behavioural side, which is where we see the biggest threat.
It’s a broader managerial issue. It’s not an IT issue. It’s one of those things that, because it happens via a computer, people think it should be dealt with by the IT department. But in fact, just some basic behavioural things, like understanding what a phishing attack is or knowing when to open a firewall or when you should take data out the building, can help.
The things we address in our programs are things like insider threats (threats that come from people within an organization), but also the broader ecosystem of outsider attacks and the fact that hacking has turned into essentially organized crime, a Silicon Valley of organized crime that is constantly attacking businesses now. The problem with cyber-attacks is that some are simply nips in the skin, but some are knives through the heart, but we’re under increasing threat of big, bad attacks.
We’re redesigning the (executive education) program because we want board-level executives to have an awareness of how serious a problem cybercrime could be, and outline what their duties are, what they should be doing, and what they can’t use as an excuse when things go wrong.
Q. Will cyber security become a permanent fixture of business education?
Absolutely. It’s now grown into a compulsory part of the MBA program (at Oxford). It’s been threaded throughout the MBA and executive programs. This is stuff you simply need to know. Cyber security is going be more widespread (in business education) as people learn how to teach it. There’s a lot of technical material which isn’t suitable for an MBA audience, but we’re getting a growing chorus of material which is teachable to MBAs.
Q. Are there career opportunities for business graduates in the space, for example in cyber security consulting?
Absolutely. There is demand across the board. Oxford is running the Global Cyber Security Capacity Centre, a global organization funded by the World Bank and others. The idea is: we develop skills across the board for people who have knowledge of cyber security — not just the technical people but also on the managerial side.
There’s a huge shortage (of talent) all the way from law enforcement through to the managerial ranks — pretty much everywhere. There will be an increasing number of people who are expected to coordinate cyber security across organizations who aren’t simply sitting in IT — they are general managers.
The big message is that it’s a general managerial problem, not an IT problem. And it’s a big and growing problem — it’s growing dramatically. The criminals are out-running (law enforcement), without a doubt. People will take cyber security increasingly seriously as bad things happen.