We need to talk about cyber security, writes Dr Daniel Prince, Senior Lecturer in Cyber Security at Lancaster University.

The news loves a good cyber disaster story. From the disruption to the Colonial fuel pipeline, the attack on one of the world's biggest meat supplier, to the ransomware used a couple of years ago that crippled the NHS. Cyber disasters make headlines, but often leave smaller businesses or organisations thinking “so what?”

And yet there is an unavoidable dependence on digital technologies for modern business. This dependence has increased with the radical shift in ways of working, driven by the pandemic and powered by digital technologies themselves. The protection of these empowering technologies must therefore be critical.

For decades the cyber message for businesses of all sizes has been that they need to take cyber security seriously. This message is driven by an underlying impression that if companies don’t, they will suffer. Something bad will happen to them in the form of loss of reputation, loss of information, loss of capability and ultimately financial loss.

The National Cyber Security Centre (NCSC) has done a very good job of helping to educate businesses around cyber security protection. They have developed and provided guides and other resources to tackle the fundamentals of protection. It has been shown that if companies tackled five basic fundamentals it would prevent around 80% of all the attacks happening right now.

But here is the challenge - cyber security is positioned around a message of risk and loss, while a business’ ethos is often focused on opportunity and growth. In many ways, current cyber security positioning is diametrically opposed to the mission of most businesses and the drive of most entrepreneurs, business owners and leaders. It is this tension which, perhaps is limiting the adoption cyber security best practices by many businesses of all sizes.

Businesses need to think differently about cyber security, and look on it as a business asset. To do this, a fundamental shift needs to take place in the way businesses conceive what cyber security does. How it enables as well as what it protects.

A practical example would be for businesses to incorporate cyber security into their marketing. Following NCSC guidance, and getting ‘Cyber Essentials Certified’ is something that will help to differentiate companies from their competitors. We have already started to see larger organisations using cyber security to differentiate themselves, but less so with smaller organisations.

Cyber security can also be used to enable big data analytics. With strong security, companies can hold an increased amount of customer records with lower risk. The larger the data set, the company is better able to use big data approaches to gain insights into its customers, increasing revenue and profit.

Companies already comfortable with cyber security practices may seek to innovate with cyber security technology directly, such as new forms of protecting data, identifying people, and checking what they are allowed to do. For example, seamlessly identifying customers during website interactions, or securely tracking deliveries, or for customers to gain secure, transparent insight into business processes that affect them.

The practical starting point on this journey is to ask “How can we use cyber security to our advantage?” This question can be answered by using common business tools such as the Business Model Canvas. When you are designing your product or service, include a discussion on how cyber security shapes the value proposition for your clients.

By taking this approach, cyber security becomes a business growth decision, providing a clear reason why and what cyber security is needed. Cyber security becomes the tool for companies to realise the value proposition for their clients. This in turn drives growth and prosperity while also improving the protection that everyone is advocating for.

The next time the topic of cyber security comes up in discussion at your company, perhaps it is time to ask how you can use it to competitive advantage, rather than just discussing which computers you need to protect.