In today’s hyper-connected world, evolving threats and new regulations, like GDPR, make cyber security a responsibility for senior management.
At IoD Open House, we hosted a session on Staying Cyber-Secure, which brought together a formidable panel of industry experts.
In this summary of a lively discussion packed with insights and advice, we reveal how to make the boardroom sit up and take notice of this threat, how insurers measure risk, and what really happens after a company suffers a data breach, along with the key takeaways.
Anne Duncan: IoD France, Founder and Chair of Digital & Technology Initiative
Marcus Chambers: Senior Security Officer at Full Frame Technology
Royce Curtin: MD for Global Intelligence at Barclays
Gareth Wharton: Cyber CEO at Hiscox
Jessica Fine: External Affairs Director at global healthcare company MSD
1. The threat is constant, evolving and can damage any business
The session began with Anne Duncan asking the audience how many of them had been the victim of a cyber crime and the majority said ‘yes’.
She added that one of the key purposes of the session was to explain why directors, and not just experts, must ‘own cyber security’ and asked Royce Curtin to explain why this issue is so important.
Royce has been MD of Global Intelligence at Barclays since early 2017 and, prior to that, spent 28 years with the FBI. He said, “The threats we face are dynamic, evolving and indiscriminate.
“We have learned it can be a nation state which is heavily resourced with thousands of experts, to the other end of the spectrum which are ‘crimes of service’ - somebody with zero skills, they don’t know how to write code, they don’t know to transfer money.
“You can go into the dark web and you can buy those kinds of cyber-attacks, so if you want to steal data, disrupt services, you can do all those things without having any experience at all.”
2. Most attacks are caused by human error
Although the technology that hackers use is constantly evolving, the ways in which somebody can infiltrate a network and create havoc hasn’t changed.
Gareth Wharton is the CEO for Cyber at Hiscox, having previously been both its CTO and CIO. He revealed that, “We were looking at our claims data during 2017 and 40% of the claims we paid were for ransomware. Nearly 70% had some sort of ‘people element’ to it, whether it was payment diversion for fraud, accidental laptop loss, sending emails to the wrong person and so on.
“Are you training your staff? Do you do phishing tests? The two more effective tests we do internally are about payroll and a fake invite to a Christmas party. Don’t forget the human element of this.”
3. Make a checklist for staying cyber-secure
Marcus Chambers spent 17 years in the British Army as an IT Director. He now works for Full Frame Technology as its senior security officer. He works with companies, both public and private, who have been breached as well as with organisations to prevent them being hacked.
When Marcus goes on site there is a basic checklist of questions he will ask and which every business must know:
- What does your network look like?
- Where is your data?
- What applications are you running?
- Are they up to date?
- If you use a cloud provider what are the terms and conditions?
- How secure is data with the cloud?
- Who in your organisation is responsible for this?
4. What really happens when a company is attacked?
On June 24 last year, pharmaceutical company MSD was hit by a ransomware attack that affected its global network. MSD’s Jessica Fine revealed what happened next.
“Around lunchtime, I started to get messages through on my phone and phone calls from other bits of the organisation and it was very clear that we had been hit by a ransomware attack.
“One of the first decisions our global security/IT team needed to make was ‘when do we shut down the network and stop this spreading? Within seven minutes of the first computer being impacted, they decided to shut down the entire network globally.
“We didn’t know if they were after our data, the patient data that we hold from clinical trials, customer data or if it was a nation state attack. It turned out that they just wanted to cause massive disruption worldwide and corporations ended up as collateral damage. It was a nation state attack that started in Ukraine.
“We have thousands of field-based representatives. So, within the first 24 hours, we had to set up WhatsApp groups, text chains as our only means of communication out into the workforce. Social media was a big asset because it was a good way for our people to keep up to date with what we were doing.”
“Getting our life-saving medicines out to patients was critical and other things had to take a backseat. So, our employees didn’t get email back for five to six weeks but that wasn’t crucial.
MSD had prepared for other incidents, such as an on-site security breach, but had no formal plan in place for a cyber attack. Jessica added, “We now feel ready today because of the experience we had but we know the software is evolving and it won’t be the same the next time around. Expect the unexpected.”
5. How insurers assess risk from SMEs to large organisations
A question was put to Gareth from the audience on how cyber insurers assess risk. Given the transactional nature of selling insurance to small businesses, he said there are some key metrics insurers use to set a price.
However, he added that "with bigger companies it becomes more complex. Typically, the risk manager buys insurance. He will be asked, ‘how many PCI (Payment Card Industry) records have you got?’ If he says, ‘what is a PCI record?’, then we must drag in the CIO or the Data Protection Officer. It’s about collating the information.”
Some companies might not necessarily know that insurers also collate information via third parties.
As Gareth explained, “Third parties will look at the perimeter of your network and go ‘I can see this is vulnerable, I can see that isn’t patched’. They look at LinkedIn and see how many open IT security jobs you’ve got, they look at your Glassdoor profile to see what your ex-employees are saying and will come up with a risk rating.
“But mostly it’s about talking to people. There are some killer questions you can ask a risk manager such as ‘where is your most critical data?’ If you get a blank look, that is probably not a step in the right direction.”
6. How to make the board take notice
A member of the audience wanted to know how to get board members to take this issue seriously, which drew the following responses:
Marcus Chambers: “I’ve got a list of CEOS who have been sacked after a breach! I advised a law firm and worked out how much it would cost them in six-minute billing segments for a partner’s time, because that’s how they bill clients.’ So, I said, ‘it’s about your billing minutes and how many minutes it takes to protect your data.’ It’s about communicating with them in the right language.”
Gareth Wharton: “The question I would ask any business is ‘think about your data as a pile of cash. If you had a pile of cash on your desk, you would not leave the office on Friday evening with that cash sitting there. You would lock it away. So, if you value your data how are you protecting it?”
Jessica Fine: “You will only capture the attention of a CEO or a boardroom by showing them the reality of what this can do to a business.”
The key takeaways
You can get good advice online
Gareth advised small businesses to look at Cyber Essentials, a scheme backed by the Government which provides advice for online protection, stating that, “It’s about trying to keep abreast of what’s going on. This is probably one of the biggest threats facing your company. In our annual Cyber Readiness Report, 45% of the companies we surveyed last year had a cyber breach. It’s a ‘when’ not ‘if’ conversation.”
Marcus added that: “There is a cyber security information sharing portal which is run by the NCSC (National Cyber Security Centre). Please Google it and get on to it. It will tell you about what threats you are facing as an organisation and what measures you should take.”
You must be prepared
Following the attack on MSD, Jessica revealed that, “As the Communications Director I’m used to having multiple channels out to the external world. My biggest takeaway was that you must be prepared to lose all of that and have offline resources available.
“It’s about having simple things like a printed list of every person’s phone number in the organisation so you can send them a text message. We do everything on our devices but you must physically have a plan in place for a cyber attack.”
You need to own the situation
It’s the businesses which tackle the situation head on that are more likely to retain the trust of customers and clients. “GDPR expects us to demonstrate transparency, accountability and credibility,” said Royce. “If we don’t get out there immediately and tell people what we know and what we don’t know and what we’re doing about it, you lose credibility and you lose trust. If you lose trust, you lose shareholder value, you lose customers and clients, so it’s all tied together.”
You must identify the points of weakness
People are usually the weakest link and making sure your staff are trained to understand the threat is essential. Royce also observed that, “One of the most important things you need to do is understand that the attackers aim for the point that is weakest – unpatched devices that you have on your computer, people that haven’t updated their antivirus... The bad guys write code that says ‘go and attack everybody that forgot to patch ‘X’ on Windows XP.”
As the session drew to a close, Anne Duncan considered what the next steps should be both for business leaders and for the IoD.
“What businesses used to do is keep quiet about a cyber-attack and cover the costs somehow. Now they can’t,” she said. GDPR has helped to focus peoples’ minds on how data is stored and protected but we can still do more.
“The IoD is taking this issue forward, not only in sessions and events like this but also through links on our website. It’s also important for people to contribute and if you can share knowledge, that is always helpful. It’s about being part of a system that is helping you and improving as we go along.
“We’re going to be doing a lot of director training to bring the level up to what it should be. Up until now it’s been left to the experts and we’re all picking up tips.
“What there hasn’t been, as we’ve got in other areas like finance and marketing, is director level training on cyber security and that’s is something we’re going to look at in future.”
Help protect your business against data breaches, viruses and other attacks from hackers. Hiscox can help minimise any loss and possible damage to your business and its reputation, IoD members receive 5% discount for the lifetime of your policy.
0800 280 0354
Find out more