Cyber Security – What Future NEDs Must Know
Arno Robbertse is one of the managing partners of G3 and is in charge of cyber security – he came into talk to us last week and here is a summary of what he had to say;
G3 which was founded by a senior former director of Kroll gives advice on how to access information on the internet and how your own information can be accessed.
Cyber security will be a permanent feature of corporate life from now on and so all NEDs must have a reasonable understanding of issues of cyber security.
The internet provides so much – connectivity, entertainment, business opportunities all offered by the internet. Truly global. But it does present serious problems with security and privacy.
It was 1988 was when the very first viruses were created, first by an MIT graduate who wanted to know how big the internet had got. He then took 10 per cent of internet down. Nowadays viruses are a global problem and far more malicious. Organised crime uses them to make money through fraud, targeting specific people or companies. There is a whole eco system (the ‘dark web’) of organised crime where hackers share information on how to achieve these attacks. The majority of attacks are highly sophisticated (unlike the one that caused TalkTalk’s problem). Hackers on their own were only involved in 5% of these attacks. But 95% of all data breaches involve our own errors – people are at fault.
How do we stay safe and conquer the hype created through the fear, uncertainty and doubt associated with cyber security?
It is now a major mainstream risk and urgently needs to considered by boards in the same way that more traditional mainstream business risks are reviewed and addressed. Boards need to recognise the issue and the threat to the business’s ability to operate. It is the board’s responsibility to remove the hype.
Investing in cyber security protection is a business enabler for the whole business, it’s not just an ‘IT problem’ for the Tech team to sort. It is a risk against your assets, your share price, ability to operate and your reputation. Failure means your customers may just walk away.
The majority of attacks that G3 investigates are made possible by sloppy processes, bad practices and/or poor staff training. There are more technical attacks, but cyber criminals will go for the easy targets first.
G3 talks about the importance of the ‘Human firewall’. This is the key line of defence needed to build your defence in depth. This requires people, whether staff at work or family members at home, to work out whether an email is safe, what an email is requiring them to do; whether it is from someone expected and recognition of risk. So, TRAIN YOUR STAFF!
Attackers are getting cleverer at researching a company’s employees. They use a variety of tricks to get them to open malicious email links. For example, a fake email from the CEO, congratulating them on their charity fund raising efforts and offering a free gift if they just follow the link…!
There are many cyber security issues that Boards should be aware of.
Regulation is increasing, but monitoring it is very difficult. The European Data Directive – which will force companies to disclose their breaches – and could be a game changer.
The Board isn’t responsible for the technical system day to day, but it is responsible for dealing with and reacting to any breaches.
Key things for Boards to be aware of include:
• Breach detection. The average time before a company notices it has been hacked is 256 days, then another 60 days to work out what’s happened, so typically there’s a full year of data going out of the business and sometimes data could be going out, unnoticed, for years.
• Response: When you are aware of a breach – how do you respond? TalkTalk’s breach was badly handled, so they suffered a huge share price drop. However, Vodafone, who were hacked on the same day as Talk Talk, in the same way and to a similar degree, clearly had a response plan and handled it very differently so actually the public wasn’t aware of the breach until much later. It is the Board’s responsibility to lead during times of uncertainty.
• Cyber insurance. Though in its infancy Boards should be aware of its existence. There will always be an irreducible level of risk that can be insured i.e.: residual loss, pay-out of fines (cost of the breach). However reputational damage is an uninsurable loss.
• Supply Chain Risk: Every supplier who is connected to your company needs to meet the same standards of security that you hold. Target (the major US retailer) were hacked via an attack on their air conditioner suppliers.
What should the Board be doing to mitigate risk?
The focus of the Board should be on planning for and responding to an attack and showing leadership if you have been attacked.
• Put the risk on the Board agenda – sometimes this might be best handled via the Audit and Risk committee
• Insist on Board-friendly language, not technical jargon
• Ensure the Board receives regular updates – not just a one off report
• Test your systems using scenario-based exercises
• Assemble an instant response team and
• Engage experts early on in this area (Tech and forensic experts, media experts. Don’t want to be inundated with offers to help only when the crisis hits)
• Make sure the systems are in place to detect attacks and have a roadmap for the response
• Make sure the Board is always alerted when an attack has been made so they can gauge how often it happens
• Make sure the company staff are trained on how to avoid and detect a hacking attempt
A company which practices these things will tend to react well when the time comes – as it inevitably will. It is how you respond that will determine your company’s reputation.
Boards must be prepared for the moment when the business suddenly loses the ability to operate in the way they have always taken for granted. Businesses have become over reliant on technology and need to think about what happens when it fails. This is not so much a technical issue, but a business risk. Boards need to have meaningful discussion and debate around it, be prepared for the crisis, as there’s no technology silver bullet to solve it.
Where will the next types of threat come from?
There are layers of the internet which Google doesn’t touch …. the ‘dark web’. Being aware of and reviewing this area can give advance warning of specific attacks.
Knowledge sharing will be vital, for example by business sectors. Get together with others affected, company heads of security can’t work on their own, in a vacuum. Also certain nation states are openly or covertly engaging in hacking, to gain economic advantage and as an extension of espionage.
To combat hackers you need to be in a state of continuous improvement – audit, review and improve.
We need to consider how do we prevent, how do we detect, how often do we detect and then how do we respond. These are legitimate questions for a NED to ask, and to ensure are answered in non-technical language. Benchmark against industry competitors from publicly available data, and review your policies against ISO 27001, the cyber security standard.