Cyber Criminals will always look for the path of least resistance

27 June 2017

PwC recently hosted an event with the British Retail Consortium (BRC) in Shoreditch which brought together senior information security professionals and business leaders in the retail sector to explore the role of the board in cyber security. PwC is currently working closely with the BRC to engage retailers on cyber security issues at a senior level.

We provided a briefing on the board perspective on cyber security, outlining our seven key principles. To generate discussion attendees then split into teams and played our Game of Threats cyber simulation - an immersive, turn-based simulation game where two teams play against each other as attackers (in this case cyber criminals) and defenders (a fictitious retail organisation). It’s aimed at senior leaders and is designed to get them thinking about the cyber security issues their organisation could be facing and the choices available in terms of investment and potential action they could take.

It’s always great to facilitate Game of Threats events, not least to see how excited players can get when playing as the attackers, and how much pressure they can feel when defending a threat. They always generate discussion and debate too.  The key issues coming from the session were:

  • It’s much easier playing an attacker than a defender.  The risks you face are much lower and if you can’t successfully breach an organisation there are plenty more you could turn to (the path of least resistance), conversely for the defenders, failure could mean significant damage to an organisation in terms of financial loss and reputational impact.  
  • Carefully considered investment plans for security capability and infrastructure can easily be derailed by responding to an attack.
  • It’s difficult to make decisions when you know you are being attacked, but have limited information about what exactly the attackers have been able to do.
  • What do you do when the money runs out? Defending teams invariably went cap in hand to the CFO to ask for emergency funding in order to maintain the defence.
  • A couple of teams “won” the game on points by eventually repelling attacks, but had suffered a number of successful attacks that had been made public before they were stopped. In real life these organisations would likely have suffered significant reputational damage and potential impact on share price during this period.  

As the BRC’s cyber security toolkit states “retailers should be realistic that no business can protect itself 100 per cent against all risks”. Hopefully this exercise helped the attendees to think about some of the issues they may face in the future in a safe (and fun) environment.  

Commenting on the event, Helen Dickinson OBE, Chief Executive of the BRC said: “Our research shows that an estimated 53 per cent of reported fraud in the retail industry is cyber-enabled, which represents a total direct cost of around £100 million. In the UK’s digitised economy, it’s essential that retailers prioritise the people, process and technology aspects of cyber security and also pool know-how amongst other businesses. Organisations like the BRC and PwC are crucial to facilitating knowledge-sharing, industry guidance and best practice.”

If you are interested in discussing a Game of Threats event for your organisation please do get in touch.

View James Hampshire’s profile on LinkedIn



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.