There are no magic bullets to prevent cyber crime, as shown by the recent spate of ransomware attacks. The onus is on boards to demonstrate they are reducing risks by implementing robust systems and processes. They must also be pragmatic enough to create a strong critical incident plan in case criminals do find a way through an organisation’s defences.
It is up to non-executive directors to ask the right questions of executives to make sure there is a joined-up approach. Lewis Doyle
, Non-executive Director at the Sussex Partnership NHS Trust, says: “Cyber security is as much about good management and leadership as it is about technical expertise. Good management and a lack of technical expertise, or poor management with excellent technical knowledge, won't help when the enemy is at the door.”
The two need to go hand-in-hand. Brian Stevenson
, a Criticaleye Board Mentor who sits on the the audit committee at the insurer Prudential, comments: “An organisation’s digital infrastructure is as strong as its weakest entry point. Criminals are very good at detecting where the weaknesses are so it is critical that your defences are at a high standard right across an organisation.”
Criticaleye spoke to a range of experts to identify five areas that boards are focusing on to curb the threat of a cyber attack.
Prioritise the risks
Cyber attacks are fast moving, fluid and highly complex events. For example, the WanaCryptOr outbreak
was reported on 12th May and escalated rapidly to infect over 90,000 systems in more than 160 countries, primarily targeting organisations in the health and telecommunications sectors.
It is incumbent on a board of directors to do as much as they can to identify where an organisation is most vulnerable. Debbie Hewitt
, Chairman of the clothing retailer Moss Bros Group, says: “People often game specific data hack scenarios, but that’s not enough. You have to think about what would bring your business model down – what are the big seismic risks that could knock you off course?
“What would happen if a business couldn’t take payment for five days? How long could it absorb it before cash-flow problems started to develop? You need to pick the areas where you think the business would face a terminal risk and then conduct a dialogue about the best way the business could mitigate [against] it [or] recover.”
Lewis stresses the need for vigilance. “If you are a high profile organisation in a reporting window, or in the news with an IPO on the horizon, then your risk profile rises accordingly as you become a far more attractive target to hackers. You must therefore be aware of the environment you are trading and operating in and factor this in to your cyber-crime planning and defences,” he states.
Education is fundamental
In many cases, mistakes by staff can be minimised by a combination of investment in IT security and proper training about the best ways to protect information.
Brian explains: “A lot of the answers to digital defences are technical and embedded in desktops, laptops, mobile devices, data centres and servers. On another level, there is a responsibility to train staff, such as ensuring they are more careful with passwords, which is a HR issue.”
According to Debbie, drills and exercises are useful ways to drive the message home. “The education of staff is essential as a high percentage of breaches come from employees accidentally doing something wrong. You can provide oversight around this to reduce the risk by increasing awareness, such as running cyber security training days.
“In one business where I am on the board, we send out false emails that attempt to get employees to click on a link, which then reminds them that doing so is against cyber policy. The board receives feedback and statistics on these spoof emails.”
Keep gathering intelligence
NEDs should have the freedom to ask for multiple insights on threats and security measures. Debbie says: “It is important to bring representatives of every part of the business to talk about cyber to the board, such as getting a sales director to come in to discuss how they perceive the threat from a B2B sales point of view – this is just good risk management.”
Asking representatives from within a company’s supply chain to present to the board can also be useful. “Many businesses give a lot of data to suppliers and they provide a lot of data,” she explains. “If their security is lacking when placed in comparison with your own, then that could be a massive weak spot.”
The point is to gain as much intelligence as possible. Debbie says: “NEDs should also seek out other NEDs for advice, especially those that have faced cyber-security issues recently. I typically get all my NEDs to share what knowledge they have gained as you can learn an awful lot from a colleague with recent tangible experience.”
It’s essential for NEDs to speak up if they feel they are being bombarded with IT jargon. “Board members need to ask if they don’t understand something,” states Brian. “It’s important to demystify information that is new and to simplify it so that people understand the risks.”
Prepare for the GDPR
The EU General Data Protection Regulation (GDPR) comes into force in May 2018. It will compel companies to respond to a data breach within 72 hours, or face a fine of four per cent of global revenue or €20 million.
It demands that organisations can at least explain the steps they are taking to implement a robust data protection strategy. James Mullock
, Partner at Bird & Bird, says: “If you were to take no steps to try and prepare for the GDPR's introduction in the run up to May 2018 and were then to suffer a breach or fail a compliance requirement, the ICO [Information Commissioner’s Office] would not be impressed.”
James notes that a lot of organisations are bringing in project managers to run GDPR compliance: “It’s good to have a point of ownership when preparing for the GDPR. Someone internally should be given responsibility and budget so that they can drive things forward. This person should be empowered to form a group around them, composed of representatives from the compliance, legal, IT and operational departments.”
Like Debbie, he urges organisations to review their main suppliers: “Existing contracts with key data processing suppliers need to be looked at afresh. This is especially the case if you have a contract that has a low cap on liability or excludes liability altogether for loss of data, which is the case with many standard-form IT contracts.
“I’m not saying reassess every single supply contract, but organisations will need to pick the ones that they are the most exposed on. They also need to ensure that their procurement teams are armed with suitable GDPR compliant template contracts going forward.”
Given the fast-approaching deadline, boards ought to be asking questions about where an organisation is on its GDPR journey.
Know your critical response plan
There needs to be a coordinated plan of action in place if a business is to successfully respond to a cyber security breach in the time limit set down by the GDPR.
, Managing Director at Accenture, explains: “The moment a breach is identified, boards need to make sure the incident response team is prepared and informed. The practical difficulty here is that breaches are traditionally identified by the business and it can be a long time before they report it to a DPO [Data Protection Officer].
“Boards need to make sure that the business’s procedures are robust enough so as soon as they identify a breach they send it to the ICO.”
This may mean reviewing existing critical incident response plans. Brian says: “There needs to be strong business continuity planning. This entails clear communications issued by your PR department, as well as educating your chief executive about what to say and what not to say in the public domain. You need to be ready to deal with the police and potentially the security services such as MI5. You also have to be ready to deal with regulators.”