Beruflich Dokumente
Kultur Dokumente
DEVELOP A POWERFUL
CYBER STRATEGY
2 CYBER SECURITY IN THE BOARDROOM
UP
COMPANIES CONDUCTING equipped to understand the challenge
BUSINESS THROUGH DIGITAL of cyber security.
$500 BILLION
20%
EXISTING ENTIRELY ONLINE) We only need to look at some of the
CYBER SECURITY HAS BECOME published figures to get a sense of the
A CRITICAL ISSUE. scale of the cyber security problem.
ON 2014
In its 2018 report on the economic
ESTIMATE
This increased reliance on all things impact of cyber crime, McAfee
digital has allowed challenger firms to
CYBER CRIME
estimated that from their estimate of
take up market share and innovative
$500 billion in 2014¹. This represents
services to be developed. At the same
time, our dependence on technology COSTS THE GLOBAL 0.8% of global GDP – a truly staggering
amount of money.
ECONOMY
means firms are more vulnerable to
attacks. Outside forces can paralyse
While we may never know the exact
systems or steal customer details and
digital assets if they are savvy enough $600 BILLION cost of cyber crime, there is little doubt
that attacks have become a fact of life
ANNUALLY
to break in … or if the firm affected
for most organisations. It is not a case
did not have appropriate defences in
of 'if' they will be attacked, but 'when'.
place.
CYBER SECURITY IN THE BOARDROOM 3
Attacks are increasing in As criminals step up their game, The fact is that cyber security is an
sophistication as well as frequency. so have governments and industry area many Boards know relatively
And it is not just organised criminals bodies, though it is questionable little about. They are generally not
that businesses need to be aware of, whether or not they are keeping technologists, after all. Boards are used
but also well-equipped nation-state- pace. Data security and privacy have to making risk-based decisions rooted
sponsored actors that may be seeking become areas of increasing focus in clear management information (in
to undermine competitors or steal for governments, who are trying to a format that they are familiar with
secrets. For example, the Verizon 2019 legislate in the interest of both citizens and understand). Cyber, meanwhile,
Data Breach Investigations report and their data. The issue has also feels nebulous, its threats, risks
showed that risen significantly up the regulatory and opportunities coded in a new,
agenda across many industries and unfamiliar language.
geographies. The introduction last
year of the General Data Protection We have found that Boards generally
39%
Regulation (GDPR), with its tougher recognise the importance of cyber
data handling requirements and stiffer security but are frequently not
penalties for non-compliance, only confident they have the information
reinforced this. they need to put sensible measures and
defences in place.
IN THE FUTURE, COMPETITIVE
OF BREACHES WERE CAUSED ADVANTAGE WILL ALSO DEPEND In short, most Boards are simply
ON BUSINESSES MANAGING
BY CRIMINALS
not ready for a cyber incident and
DIGITAL IDENTITIES AND aren’t preparing as effectively as they
AND 23% BY NATION-STATE- DATA SAFELY – SO SECURITY could to defend their business from
SPONSORED ACTORS² AND PRIVACY ARE NOT JUST this burgeoning threat. Boards need
COMPLIANCE ISSUES, BUT a joined-up strategy to get ahead of
One of the key challenges to cyber STRATEGIC ONES AS WELL. the risks, rather than simply reacting
security is that there is such diversity to circumstances when the worst
in the cast of potential attackers. On Taken together, these factors mean happens.
top of nation states and organised that robust cyber security is an
crime syndicates, we also need to imperative for all businesses. Yet, the This paper is designed to help them
add to the cast 'lone wolves'. These question remains: "how well prepared achieve just that. We have identified
people are often motivated by money is your Board?" the five key questions that Boards need
or malice, are company insiders who to ask in order to gauge how prepared
hold a grudge against their business they are to meet today’s cyber threats
or could be unofficially employed by head on.
a competitor searching for valuable
intellectual property (IP).
THE CYBER
BACKDROP
NEVER FAR
FROM THE
HEADLINES
IT FEELS LIKE ALMOST
EVERY WEEK A CYBER
INCIDENT HITS THE
NEWS.
A string of blue-chip brands have
reported being affected by breaches
of various sizes over the last few
years. While, in one sense, this
means confessing to a breach has
become ‘normalised’, the list of
breached businesses is still not a
list that any business wants to add
its name to.
While some attacks have been having announced in 2018 that a increase in reported incidents, up
specifically targeted at individual breach had exposed the records of from 1% in 2017 to 25% the following
businesses, there have also been many up to 500 million customers in its year⁵.
instances of highly commoditised Starwood Hotels reservation system.
attacks in recent years, aimed at In part, this rise in reports may
organisations around the world. The 2019 Harvey Nash / KPMG CIO be due to the new requirements
Survey, which includes views from imposed by the GDPR. A breach,
THE WANNACRY RANSOMWARE 3,600 IT leaders around the world, or suspected breach, must now be
ATTACKS IN 2017, FOR EXAMPLE, revealed that a third of businesses reported to regulators within 72 hours
AFFECTED AN ESTIMATED admitted to experiencing a major of its occurrence. The Information
300,000 COMPUTERS cyber attack in the last two years³. Commissioners Office (ICO) – the
WORLDWIDE, CRIPPLING MANY This percentage tallies with the 32% regulatory body that deals with the
ORGANISATIONS’ SYSTEMS. of businesses who said they had GDPR in the UK – revealed recently
experienced a breach or attack in the that 14,000 personal data breaches
This type of blanket attack is often previous 12 months, as reported in had been reported by organisations
a ‘numbers game’, with organised the Department for Digital, Culture, during the first 12 months of the
cyber criminals unleashing a virus or Media and Sport’s Cyber Security regulation – up from around 3,300 the
sending out millions of emails with a Breaches Survey 2019⁴. This report year before.
malicious link embedded and simply found that nearly 1 in 5 incidents
seeing what sticks. had stopped staff from carrying Even if 82% of cases reported then
out their daily work, and a third of required no further action, this jump
This is not to say, of course, that incidents required new measures to be shows that cyber threats are becoming
targeted attacks cannot be equally as introduced to prevent further attacks. more prevalent and more widely
devastating. recognised as a real threat. But it could
All of this impacts heavily on firms’ be 'too little, too late'.
THE 2015 ATTACK ON TALKTALK ability to innovate and develop new
SAW THE PERSONAL DATA OF services for the benefit of customers. Cyber security is an issue that every
OVER 150,000 CUSTOMERS business simply must take control
STOLEN. THE ESTIMATED TOTAL Some sectors are, naturally, bigger of – the risks of regulatory fines,
COST TO THE COMPANY WAS A targets. Financial Services is a high- reputational damage and material
REPORTED £77 MILLION. priority target for cyber criminals. The losses are simply too great to ignore.
Financial Times recently reported that
Other global brands have also been there has been a fivefold increase in
affected by similar cyber attacks, data breaches recorded by the FCA in
including Marriot, the organisation 2018, with 145 breaches taking place
in total. Retail banks saw the largest
³A Changing Perspective, Harvey Nash / KPMG CIO Survey, Harvey Nash and KPMG, 2019. [https://www.hnkpmgciosurvey.com/]
⁴Cyber Security Breaches Survey 2019, Department for Digital, Culture, Media and Sport, 2019. [https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019]
⁵Cyber attacks on financial services sector rise fivefold in 2018, Murgia M., Megaw, N., 2018. [https://www.ft.com/content/6a2d9d76-3692-11e9-bd3a-8b2a211d90d5
6 CYBER SECURITY IN THE BOARDROOM
CYBER
SECURITY
AND THE
BOARDROOM
YOUR AVERAGE BOARD MEMBER
MIGHT BE COMFORTABLE WITH
HANDLING STRATEGY AND 'BUSINESS
AS USUAL' OPERATIONAL MATTERS BUT,
WHEN IT COMES TO THE ‘BRAVE NEW
WORLD’ OF CYBER, SOME MAY FEEL AS
IF THEY ARE IN THE DARK.
CYBER SECURITY IN THE BOARDROOM 7
MIKE PECKHAM
MANAGING PARTNER,
GADHIA CONSULTANTS
8 CYBER SECURITY IN THE BOARDROOM
CYBER
SUCCESS
IN FIVE
QUESTIONS
BOARDS LOOKING TO DEVELOP OR
IMPROVE THEIR CYBER STRATEGY
SHOULD BE ASKING:
These questions really need to be answered at Board level, not delegated to Chief Information Officers (CIO), Chief Information
Security Officers (CISO) or Chief Technology Officers (CTO). This is because, as the Board works through each of the questions,
their awareness of cyber security will increase along with an understanding of their accountability. In this way, they can improve
resilience across all areas of the business.
In the next section of this paper, we consider each of these questions and detail how Boards can develop a framework that includes
governance, awareness, protection, response and recovery.
The journey to cyber resilience is long, difficult and never really over. But it is vital for firms to consider. Every review of cyber
security should start with an assessment of governance structures, as we highlight in the figure above.
10 CYBER SECURITY IN THE BOARDROOM
CYBER
SECURITY
A BOARD LEVEL
CHALLENGE
BOARDS MUST ACT NOW TO ADDRESS
THE GROWING CYBER THREAT.
IN MANY WAYS, THIS There are a number of cyber However, managing cyber security is
certifications and frameworks that about much more than just technology
IS THE ‘UMBRELLA’ organisations can obtain or follow, protocols and configurations,
QUESTION THAT THE including: important as they are. Buying or
FOLLOWING FOUR ⚫⚫ The government-backed National implementing new technology to
QUESTIONS HELP TO Cyber Security Centre (NCSC) safeguard the business is no silver
bullet. If your approach is to rely on
ANSWER. Cyber Essentials and Cyber
technology, it could be out of date
Essentials Plus
almost the moment you buy it. Cyber
One of the first points to appreciate is ⚫⚫ The NCSC’s Ten Steps to Cyber
criminals are developing new attack
that being ‘protected’ in cyber terms Security
techniques and tools just as fast as new
is only relative. There is no guarantee
⚫⚫ ISO27001 – the international security measures can be developed.
that a cyber attack won’t occur at some
standard for information security
point. Most businesses view this as a
management To be truly effective, cyber security
'when', not 'if' matter and implement
requires the right combination of
policies and defences accordingly, ⚫⚫ The US-based National Institute
people, technology and processes. This
striving to meet best-in-class standards of Standards and Technology
means having the right technology
that minimise the risk of harm. (NIST) Cyber Security Framework,
in place to safeguard and monitor
a globally recognised standard
systems, the right processes followed,
Such frameworks cover the core
and the right people to monitor and
technical elements of cyber security:
assess whether or not it is all working.
securing Internet connections, devices,
More broadly, it also means ensuring
software and systems; controlling
that people across the business are
access to data and systems; protecting
aware of security good practice and
from malware; and keeping software
protocols.
up-to-date. These are all important
steps and gaining a certification can
All of these aspects need to work
be a great learning exercise for any
together as part of a holistic and
business.
coordinated approach – different
aspects, such as physical and
technological controls, should be
looked at as different pieces of the
cyber security puzzle.
12 CYBER SECURITY IN THE BOARDROOM
It is critical that firms take this wider A strategic approach to cyber security
view rather than approach things in means having comprehensive policies, Once ownership is clear, businesses
artificial silos. Criminals don’t do this guidelines and standards in place. can then proceed to review their
and businesses shouldn’t either. One It is only by having these that an position in relation to its security
of the key learnings here, therefore, is organisation can ensure a consistent framework. Use the talking points in
that cyber security is much more than approach, assess its current state and this section to discuss whether any
a technical exercise. monitor its performance against clear improvements are required.
criteria.
IT ISN’T ONLY ‘THE TECH TEAM'S If the answers to any of these questions
PROBLEM’. IT IS A MATTER A basic but essential question to start are unsatisfactory, then the Board
FOR EVERYONE ACROSS THE with is: does your business have a clear should request the relevant individuals
BUSINESS. set of written IT security policies and address them as quickly as possible
guidelines? Have these been agreed and report back with their proposed
The Board has a critical role to play and signed off at a senior level? solutions.
here, setting the tone from the top
and building a culture of compliance Senior sign-off of these policies is
TALKING POINTS:
and security. They need to show their crucial, both to ensure that they are
employees that they are taking cyber fit for purpose at a strategic level and
⚫⚫ Who is responsible for cyber
security seriously and expect the whole demonstrates the Board’s engagement
– at both a Board level and
business, in all its different functions, with the issue.
operational level?
to do so as well.
As discussed, it’s important that ⚫⚫ Do we have a clear and widely
someone on the Board takes primary understood set of IT and
TALKING POINTS: responsibility for cyber security. This security guidelines? How are
individual should have the appropriate these made available to staff ?
GERRY DIQUE
HEAD OF CLIENT TECHNOLOGY
14 CYBER SECURITY IN THE BOARDROOM
If the worst happens and your EARLY AWARENESS IS CRITICAL A ROBUST COMMUNICATIONS
business suffers a breach, it will STRATEGY WILL BE NEEDED
need to manage both the issue itself The sooner a company identifies
and also the communications that an issue, the quicker it can respond Firms will be ‘rolling the dice’ with
will go out to key audiences such and the more likely it is to be able to the reputation of their brand if
as regulators, shareholders, media, contain it before it escalates. Late communications are poorly judged,
customers and staff. Handling all of awareness, however, means that the ill-timed, or inaccurate.
these simultaneously can be extremely issue could have spread from its initial
challenging. point of entry to more systems. Late Once the communication process has
awareness plays into the hands of begun, your firm will also need to be
But perhaps the first question for attackers. prepared for a stream of follow-up
businesses to consider here is – is "how enquiries and requests for updates. If
quickly would we know if we were Once a breach or incident has been the breach is high profile enough, you
breached?" detected, firms will need to get a should also expect the media to come
technical team involved to help take knocking.
IN THE VERIZON (2019) REPORT, back control or isolate the problem.
MORE THAN HALF OF BREACHES What these teams then communicate It is therefore advisable to map out
TOOK MONTHS TO DISCOVER. to outside parties will have to be a broad communications strategy in
decided upon. Very quickly. advance of any breach, which can
be adjusted according to individual
There is, of course, a requirement circumstances.
under the GDPR to report any breach
the business have sufficient resource companies affected by ransomware communications issues in the
in its communications and customer attacks, in which criminals use event of a breach?
relations teams? It may be that they software to ‘lock up’ data and hold ⚫⚫ As a business, what can we
would need to draw on the services of it hostage until a ransom is paid, learn from past crises?
a communications / PR agency, for cover the incident up and secretly ⚫⚫ What would our approach be
example. agree payments to the attackers in in the event of a ransomware
order to have their systems freed. attack?
An effective communications plan This is obviously bad practice, as it is
can be developed by answering the essentially rewarding the criminals
following questions: and potentially funding future, more
In many ways, this is the most COMPANIES SHOULDN’T You should also consider whether any
technical question on our list, the FORGET THAT THEY MUST ALSO advisors or third-party specialists are
answer to which will depend on the CONSIDER PHYSICAL SECURITY needed to support. An objective and
nature and severity of the incident. ISSUES AS WELL AS CYBER ONES. experienced pair of eyes can be an
invaluable resource in the heat of an
If it is a ‘denial of service attack’, for In the event of an incident, you may incident. Are there any retainers or
example, crippling a business’ website want to control or shut down access to contractual arrangements in place?
or IT systems by overloading the certain buildings or parts of buildings.
system with false data, your business Think about security pass and access There is also the question of cyber
will need to have back-up systems and issues – how quickly could your teams insurance, which has become
processes in place to get back online. remove or change access permissions increasingly common in recent years
and what would be the process for as the cyber threat has grown. Dealing
Firms will need to build a clear doing this? with an incident can be a costly
map that shows which systems or process – so knowing your firm has
applications are critical to the running It is difficult, of course, to truly think insurance cover available can provide
of business functions. Prioritise these through all the ramifications of an peace of mind and help the business
in order of importance and then incident when it remains an abstract meet additional costs.
consider what contingencies could concept.
be activated if they were disabled or
breached. MANY BUSINESSES FIND IT TALKING POINTS:
HIGHLY USEFUL TO CARRY
Think, as well, about how these OUT SIMULATION EXERCISES ⚫⚫ What back-up systems and
systems are protected. What firewalls OR ‘WAR GAMES’. THESE MAKE servers do we have?
are in place? What monitoring and AN INCIDENT FEEL ‘REAL’ AND
⚫⚫ Have we identified which
detection systems do you have? Are FLUSH OUT BOTH OPERATIONAL
systems are truly central to the
systems regularly patched and updated AND COMMUNICATION ISSUES,
running of our business?
as required? PROVIDING MANY MORE
⚫⚫ Do we have the protections
OPPORTUNITIES FOR LEARNING
and firewalls in place that we
It may also be useful, as we referred to THAN THE PURELY THEORETICAL
need?
above, to overlay your cyber security APPROACH.
thinking with any general business ⚫⚫ When did we last run a
continuity / disaster planning that These simulations may also help simulation exercise?
STEPHEN HEAD
SENIOR PARTNER
CYBER SECURITY PRACTICE
18 CYBER SECURITY IN THE BOARDROOM
You can only really understand the INSIDERS: After understanding the possible
nature of the potential cyber threats sources of attack, you will want to
you face if you understand who is likely These are often an underestimated consider what information and which
to attack you and why. What would threat. With access to systems and systems each of these attackers would
they be after? passwords within the business, they be most likely to target. To answer this,
may have exactly what they need to businesses will need to create a map
As we touched on earlier, there are a cause significant damage. Insiders of their systems and IT architecture
number of different possible attackers could be malicious – perhaps they may as well as their critical IP and data
out there, all with slightly different be seeking revenge for dismissal or repositories. Once this is complete,
methods, motivations and goals. feeling under-appreciated – or cause they can consider what defences are
damage by accident or carelessness. in place and whether they need to be
ORGANISED GANGS: For example, staff may unwittingly strengthened.
click on a phishing email link or reveal
These are likely to send out blanket a password. Education and awareness DETERMINING WHAT NORMAL
malware attacks hoping for a small are therefore critical to mitigating the LOOKS LIKE, IN TERMS OF
percentage of hits that will allow them insider threat. DATA AND INFORMATION
to obtain data that can be sold on the FLOWS, WILL ENABLE FIRMS
dark web. They may also attempt to NATION STATES: TO DETECT UNUSUAL ACTIVITY
extort ransom payments for stolen or OR TRIGGERS FOR ACTION.
frozen data. There have been allegations that EFFECTIVE MONITORING IS A
countries with opposing interests KEY REQUIREMENT FOR CYBER
MALICIOUS INDIVIDUALS: either fund or organise attacks – SECURITY.
sometimes to gain IP from the rival
These are also likely to send out powers, sometimes simply to cause Boards should also consider questions
blanket attacks but are more often disruption. around IT security. For example, what
motivated by the ‘thrill’ of causing firewalls are in place? Are systems
disruption and the sense of power it COMPETITORS: regularly updated and software patches
brings rather than by financial gain. applied? How are systems designed
When unscrupulous competitors to contain a hostile action or systems
attack, the primary motivation is likely failure?
to steal IP, addresses and competitive
information. They could also be after
physical assets – written documents
or audio recordings of phone calls, for
example.
CYBER SECURITY IN THE BOARDROOM 19
20 CYBER SECURITY IN THE BOARDROOM
TAKE
ACTION
NOW
NO BUSINESS HAS
CYBER SECURITY
ENTIRELY ‘WORKED
OUT’.
CASE STUDY
TO MAKE SURE THIS BECOMES It may also be appropriate to consider A publicly quoted business lost control of
A PART OF DAILY LIFE, SENIOR whether your business is sufficiently one of its critical payment websites during
SPONSORSHIP IS REQUIRED. equipped to respond to and recover a major marketing event. This was only
signalled to the CEO when the outage was
It is important that those sitting at from a potential incident. This could
shared on social media. We subsequently
Board level are fully engaged with the include contracting third party
learnt that staff had been dealing with
issue and understand the importance specialist support and expertise. Such
technical issues prior to the event, without
of getting it right. Once a Board level third parties can help you review and
escalating them to the Board. The timing
representative has been identified, strengthen defences, as well as support
of the outage suggested a hostile attack,
businesses will need to ensure if an issue takes hold.
but after thorough investigation, this was
that cyber is clearly owned at an excluded.
operational level as well. Cyber security is a difficult issue to
face. The combination of technical Working with the senior leadership team,
GOOD GOVERNANCE IS complexity, unpredictability and we established a crisis response team
CRUCIAL FOR CREATING A constant evolution makes it hard for and provided the necessary structure and
CLEAR, DETAILED STRATEGY FOR anyone to really get a firm grasp on it. meeting discipline throughout the incident,
Companies should be investing in and resilience. The root cause of the issue
was identified with only minor impact to
rolling out both employee training and
business processes. In addition, the route
strong encryption to ensure maximum
back to ‘business as usual’ was controlled
security.
and directed in a transparent, risk-assessed
environment. The business was therefore
able to present a clear and informed
decision-making process to the regulators in
its follow-up interview.
22 CYBER SECURITY IN THE BOARDROOM
Gerry, who joined Huntswood in 2016, is the Matthew is the Director of External Engagement
Head of Client Technology. He is responsible for for Huntswood, leading the development of
the creation, enhancement and provision of the Huntswood’s external engagement strategy to
technology platforms that underpin Huntswood’s help position and support our brand and services
client services. His focus is on taking the needs within the marketplace.
and challenges of clients into account and
formulating appropriate delivery roadmaps, Matthew has a background in conduct regulation
project plans and end-to-end solutions. and professional services having worked as a
supervisor at the Financial Conduct Authority
Gerry has over 17 years of experience delivering (FCA) and for two of the 'Big 4' advisory firms,
various technology initiatives in the Banking where he led and contributed to work in relation to
and IT Industry. Prior to working at Huntswood, conduct risk.
Gerry worked at a tier 1 bank delivering various
technology solutions in the customer management
and experience space.
24 CYBER SECURITY IN THE BOARDROOM
ABOUT HUNTSWOOD
AND GADHIA CONSULTANTS
CE
PEO
WE
In our engagement with clients we are, COMBINE working with our clients, we bring
above all else, collaborative and always commercial pragmatism, urgency and
at the forefront in the development of TE
a commitment to succeed in finding
CH N OLO GY
innovative, tailored and transformative the answer.
solutions. These typically combine
AS A PARTNER OF CHOICE FOR
people, processes and technology to
drive better customer, commercial, and
regulatory outcomes. WHEN YOU LEAD A BUSINESS,
RESOURCING SOLUTIONS
YOU NEED PEOPLE AROUND
Our services include resourcing and ADVISORY SERVICES
YOU THAT SHARE YOUR VALUES,
outsourcing solutions, backed up by an WORRY FOR THE BUSINESS
UNDERPINNED BY TECHNOLOGY
expert advisory capability. PLATFORMS AND INNOVATION AND MAKE THINGS HAPPEN.
I ESTABLISHED GADHIA
We have a solid reputation for ACROSS A RANGE OF INDUSTRIES CONSULTANTS TO SHARE THAT
being easy to work with, which has BURDEN AND PROVIDE THE
been earned through continuous OPERATIONAL PRACTICAL SUPPORT THAT
EXCELLENCE BOARDS AND SENIOR TEAMS
improvement and consistency in
exceeding our clients' expectations NEED.
TO COST &
DRIVE
throughout all stages of delivery.
EFFICIENCY
BETTER MITIGATE
OUTCOMES RISK DAME JAYNE-ANNE GADHIA
CUSTOMER
EXPERIENCE
CYBER SECURITY IN THE BOARDROOM 25
GET IN TOUCH
T: 0333 321 7811
E: enquiries@huntswood.com
W: huntswood.com
@Huntswood
Search ‘Huntswood’
26 CYBER SECURITY IN THE BOARDROOM
@Huntswood
Search ‘Huntswood’