Sie sind auf Seite 1von 26

DEFEND. DELIVER.

DEVELOP A POWERFUL
CYBER STRATEGY
2 CYBER SECURITY IN THE BOARDROOM

WITH MORE AND MORE Boards, in particular, need to be better


$600 BILLION

UP
COMPANIES CONDUCTING equipped to understand the challenge
BUSINESS THROUGH DIGITAL of cyber security.
$500 BILLION

CHANNELS (SOME EVEN

20%
EXISTING ENTIRELY ONLINE) We only need to look at some of the
CYBER SECURITY HAS BECOME published figures to get a sense of the
A CRITICAL ISSUE. scale of the cyber security problem.
ON 2014
In its 2018 report on the economic
ESTIMATE
This increased reliance on all things impact of cyber crime, McAfee
digital has allowed challenger firms to

CYBER CRIME
estimated that from their estimate of
take up market share and innovative
$500 billion in 2014¹. This represents
services to be developed. At the same
time, our dependence on technology COSTS THE GLOBAL 0.8% of global GDP – a truly staggering
amount of money.

ECONOMY
means firms are more vulnerable to
attacks. Outside forces can paralyse
While we may never know the exact
systems or steal customer details and
digital assets if they are savvy enough $600 BILLION cost of cyber crime, there is little doubt
that attacks have become a fact of life

ANNUALLY
to break in … or if the firm affected
for most organisations. It is not a case
did not have appropriate defences in
of 'if' they will be attacked, but 'when'.
place.
CYBER SECURITY IN THE BOARDROOM 3

Attacks are increasing in As criminals step up their game, The fact is that cyber security is an
sophistication as well as frequency. so have governments and industry area many Boards know relatively
And it is not just organised criminals bodies, though it is questionable little about. They are generally not
that businesses need to be aware of, whether or not they are keeping technologists, after all. Boards are used
but also well-equipped nation-state- pace. Data security and privacy have to making risk-based decisions rooted
sponsored actors that may be seeking become areas of increasing focus in clear management information (in
to undermine competitors or steal for governments, who are trying to a format that they are familiar with
secrets. For example, the Verizon 2019 legislate in the interest of both citizens and understand). Cyber, meanwhile,
Data Breach Investigations report and their data. The issue has also feels nebulous, its threats, risks
showed that risen significantly up the regulatory and opportunities coded in a new,
agenda across many industries and unfamiliar language.
geographies. The introduction last
year of the General Data Protection We have found that Boards generally

39%
Regulation (GDPR), with its tougher recognise the importance of cyber
data handling requirements and stiffer security but are frequently not
penalties for non-compliance, only confident they have the information
reinforced this. they need to put sensible measures and
defences in place.
IN THE FUTURE, COMPETITIVE
OF BREACHES WERE CAUSED ADVANTAGE WILL ALSO DEPEND In short, most Boards are simply
ON BUSINESSES MANAGING
BY CRIMINALS
not ready for a cyber incident and
DIGITAL IDENTITIES AND aren’t preparing as effectively as they

AND 23% BY NATION-STATE- DATA SAFELY – SO SECURITY could to defend their business from

SPONSORED ACTORS² AND PRIVACY ARE NOT JUST this burgeoning threat. Boards need
COMPLIANCE ISSUES, BUT a joined-up strategy to get ahead of
One of the key challenges to cyber STRATEGIC ONES AS WELL. the risks, rather than simply reacting
security is that there is such diversity to circumstances when the worst
in the cast of potential attackers. On Taken together, these factors mean happens.
top of nation states and organised that robust cyber security is an
crime syndicates, we also need to imperative for all businesses. Yet, the This paper is designed to help them
add to the cast 'lone wolves'. These question remains: "how well prepared achieve just that. We have identified
people are often motivated by money is your Board?" the five key questions that Boards need
or malice, are company insiders who to ask in order to gauge how prepared
hold a grudge against their business they are to meet today’s cyber threats
or could be unofficially employed by head on.
a competitor searching for valuable
intellectual property (IP).

¹Economic Impact of Cybercrime - No Slowing Down, McAfee, 2017. [https://www.mcafee.com/enterprise/en-us/solutions/lp/economics-cybercrime.html]

²2019 Data Breach Investigations Report, Verizon, 2019. [https://enterprise.verizon.com/en-gb/resources/reports/dbir/]


4 CYBER SECURITY IN THE BOARDROOM

THE CYBER
BACKDROP
NEVER FAR
FROM THE
HEADLINES
IT FEELS LIKE ALMOST
EVERY WEEK A CYBER
INCIDENT HITS THE
NEWS.
A string of blue-chip brands have
reported being affected by breaches
of various sizes over the last few
years. While, in one sense, this
means confessing to a breach has
become ‘normalised’, the list of
breached businesses is still not a
list that any business wants to add
its name to.

The operational and practical


issues following a breach remain
as urgent and difficult as ever, and
reputational damage can be just as
severe - if not more so.
CYBER SECURITY IN THE BOARDROOM 5

While some attacks have been having announced in 2018 that a increase in reported incidents, up
specifically targeted at individual breach had exposed the records of from 1% in 2017 to 25% the following
businesses, there have also been many up to 500 million customers in its year⁵.
instances of highly commoditised Starwood Hotels reservation system.
attacks in recent years, aimed at In part, this rise in reports may
organisations around the world. The 2019 Harvey Nash / KPMG CIO be due to the new requirements
Survey, which includes views from imposed by the GDPR. A breach,
THE WANNACRY RANSOMWARE 3,600 IT leaders around the world, or suspected breach, must now be
ATTACKS IN 2017, FOR EXAMPLE, revealed that a third of businesses reported to regulators within 72 hours
AFFECTED AN ESTIMATED admitted to experiencing a major of its occurrence. The Information
300,000 COMPUTERS cyber attack in the last two years³. Commissioners Office (ICO) – the
WORLDWIDE, CRIPPLING MANY This percentage tallies with the 32% regulatory body that deals with the
ORGANISATIONS’ SYSTEMS. of businesses who said they had GDPR in the UK – revealed recently
experienced a breach or attack in the that 14,000 personal data breaches
This type of blanket attack is often previous 12 months, as reported in had been reported by organisations
a ‘numbers game’, with organised the Department for Digital, Culture, during the first 12 months of the
cyber criminals unleashing a virus or Media and Sport’s Cyber Security regulation – up from around 3,300 the
sending out millions of emails with a Breaches Survey 2019⁴. This report year before.
malicious link embedded and simply found that nearly 1 in 5 incidents
seeing what sticks. had stopped staff from carrying Even if 82% of cases reported then
out their daily work, and a third of required no further action, this jump
This is not to say, of course, that incidents required new measures to be shows that cyber threats are becoming
targeted attacks cannot be equally as introduced to prevent further attacks. more prevalent and more widely
devastating. recognised as a real threat. But it could
All of this impacts heavily on firms’ be 'too little, too late'.
THE 2015 ATTACK ON TALKTALK ability to innovate and develop new
SAW THE PERSONAL DATA OF services for the benefit of customers. Cyber security is an issue that every
OVER 150,000 CUSTOMERS business simply must take control
STOLEN. THE ESTIMATED TOTAL Some sectors are, naturally, bigger of – the risks of regulatory fines,
COST TO THE COMPANY WAS A targets. Financial Services is a high- reputational damage and material
REPORTED £77 MILLION. priority target for cyber criminals. The losses are simply too great to ignore.
Financial Times recently reported that
Other global brands have also been there has been a fivefold increase in
affected by similar cyber attacks, data breaches recorded by the FCA in
including Marriot, the organisation 2018, with 145 breaches taking place
in total. Retail banks saw the largest

³A Changing Perspective, Harvey Nash / KPMG CIO Survey, Harvey Nash and KPMG, 2019. [https://www.hnkpmgciosurvey.com/]

⁴Cyber Security Breaches Survey 2019, Department for Digital, Culture, Media and Sport, 2019. [https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019]

⁵Cyber attacks on financial services sector rise fivefold in 2018, Murgia M., Megaw, N., 2018. [https://www.ft.com/content/6a2d9d76-3692-11e9-bd3a-8b2a211d90d5
6 CYBER SECURITY IN THE BOARDROOM

CYBER
SECURITY
AND THE
BOARDROOM
YOUR AVERAGE BOARD MEMBER
MIGHT BE COMFORTABLE WITH
HANDLING STRATEGY AND 'BUSINESS
AS USUAL' OPERATIONAL MATTERS BUT,
WHEN IT COMES TO THE ‘BRAVE NEW
WORLD’ OF CYBER, SOME MAY FEEL AS
IF THEY ARE IN THE DARK.
CYBER SECURITY IN THE BOARDROOM 7

There is undoubtedly scope for increased Board


training on cyber-related issues, and we would
argue that this should be built into any programme
of Board training and development. Cyber security
could be a productive focus topic on Board away-
days, for example, and should also be a regular
item on Boards’ agendas.

It is important that someone with a technology


background is invited to sit on the Board too, either in an
executive or non-executive capacity. Even if your business
doesn’t expect to be the target of a cyber attack anytime soon,
bringing this person on board should be a priority, especially
given the crucial role technology plays in any modern
business.

But, while the search is underway for your next ‘tech-head


in the Boardroom’, we should be asking how Boards in their
current form can gain a firmer grip on the issues at hand.

We believe there are FIVE KEY QUESTIONs that Boards


should use to gauge where their organisation is
on its ‘cyber journey’. These will help them
identify areas for improvement and
enhancement and provide focus for
the journey forward.

MIKE PECKHAM
MANAGING PARTNER,
GADHIA CONSULTANTS
8 CYBER SECURITY IN THE BOARDROOM

CYBER
SUCCESS
IN FIVE
QUESTIONS
BOARDS LOOKING TO DEVELOP OR
IMPROVE THEIR CYBER STRATEGY
SHOULD BE ASKING:

HOW DO WE KNOW THAT, AS A BUSINESS, WE ARE PROTECTED


1.
FROM CYBER ATTACKS?

HOW DO WE KNOW THAT WE HAVE THE MOST APPROPRIATE


2.
SECURITY POLICIES AND GOVERNANCE IN PLACE?

HOW SHOULD WE COMMUNICATE A CYBER SECURITY BREACH TO


3.
THE MARKETS, REGULATORS, CUSTOMERS, MEDIA AND STAFF?

CAN WE BE CONFIDENT THAT WE HAVE THE NECESSARY


4. CONTINUITY PLANS IN PLACE TO KEEP THE BUSINESS RUNNING IF
WE SUFFER A MAJOR CYBER INCIDENT?

WHAT IS THE NATURE OF THE THREAT LANDSCAPE AND WHAT ARE


5.
WE DOING TO UNDERSTAND IT?
CYBER SECURITY IN THE BOARDROOM 9

These questions really need to be answered at Board level, not delegated to Chief Information Officers (CIO), Chief Information
Security Officers (CISO) or Chief Technology Officers (CTO). This is because, as the Board works through each of the questions,
their awareness of cyber security will increase along with an understanding of their accountability. In this way, they can improve
resilience across all areas of the business.

In the next section of this paper, we consider each of these questions and detail how Boards can develop a framework that includes
governance, awareness, protection, response and recovery.

looks like, allowing you to

The journey to cyber resilience is long, difficult and never really over. But it is vital for firms to consider. Every review of cyber
security should start with an assessment of governance structures, as we highlight in the figure above.
10 CYBER SECURITY IN THE BOARDROOM

CYBER
SECURITY
A BOARD LEVEL
CHALLENGE
BOARDS MUST ACT NOW TO ADDRESS
THE GROWING CYBER THREAT.

BUT WHAT DOES THIS ACTUALLY LOOK


LIKE IN PRACTICE?
CYBER SECURITY IN THE BOARDROOM 11

1. HOW DO WE KNOW THAT, AS A BUSINESS,


WE ARE PROTECTED FROM CYBER ATTACKS?

IN MANY WAYS, THIS There are a number of cyber However, managing cyber security is
certifications and frameworks that about much more than just technology
IS THE ‘UMBRELLA’ organisations can obtain or follow, protocols and configurations,
QUESTION THAT THE including: important as they are. Buying or
FOLLOWING FOUR ⚫⚫ The government-backed National implementing new technology to

QUESTIONS HELP TO Cyber Security Centre (NCSC) safeguard the business is no silver
bullet. If your approach is to rely on
ANSWER. Cyber Essentials and Cyber
technology, it could be out of date
Essentials Plus
almost the moment you buy it. Cyber
One of the first points to appreciate is ⚫⚫ The NCSC’s Ten Steps to Cyber
criminals are developing new attack
that being ‘protected’ in cyber terms Security
techniques and tools just as fast as new
is only relative. There is no guarantee
⚫⚫ ISO27001 – the international security measures can be developed.
that a cyber attack won’t occur at some
standard for information security
point. Most businesses view this as a
management To be truly effective, cyber security
'when', not 'if' matter and implement
requires the right combination of
policies and defences accordingly, ⚫⚫ The US-based National Institute
people, technology and processes. This
striving to meet best-in-class standards of Standards and Technology
means having the right technology
that minimise the risk of harm. (NIST) Cyber Security Framework,
in place to safeguard and monitor
a globally recognised standard
systems, the right processes followed,
Such frameworks cover the core
and the right people to monitor and
technical elements of cyber security:
assess whether or not it is all working.
securing Internet connections, devices,
More broadly, it also means ensuring
software and systems; controlling
that people across the business are
access to data and systems; protecting
aware of security good practice and
from malware; and keeping software
protocols.
up-to-date. These are all important
steps and gaining a certification can
All of these aspects need to work
be a great learning exercise for any
together as part of a holistic and
business.
coordinated approach – different
aspects, such as physical and
technological controls, should be
looked at as different pieces of the
cyber security puzzle.
12 CYBER SECURITY IN THE BOARDROOM

2. HOW DO WE KNOW THAT WE HAVE THE MOST


APPROPRIATE SECURITY POLICIES AND GOVERNANCE IN PLACE?

It is critical that firms take this wider A strategic approach to cyber security
view rather than approach things in means having comprehensive policies, Once ownership is clear, businesses
artificial silos. Criminals don’t do this guidelines and standards in place. can then proceed to review their
and businesses shouldn’t either. One It is only by having these that an position in relation to its security
of the key learnings here, therefore, is organisation can ensure a consistent framework. Use the talking points in
that cyber security is much more than approach, assess its current state and this section to discuss whether any
a technical exercise. monitor its performance against clear improvements are required.
criteria.
IT ISN’T ONLY ‘THE TECH TEAM'S If the answers to any of these questions
PROBLEM’. IT IS A MATTER A basic but essential question to start are unsatisfactory, then the Board
FOR EVERYONE ACROSS THE with is: does your business have a clear should request the relevant individuals
BUSINESS. set of written IT security policies and address them as quickly as possible
guidelines? Have these been agreed and report back with their proposed
The Board has a critical role to play and signed off at a senior level? solutions.
here, setting the tone from the top
and building a culture of compliance Senior sign-off of these policies is  
TALKING POINTS:
and security. They need to show their crucial, both to ensure that they are
employees that they are taking cyber fit for purpose at a strategic level and
⚫⚫ Who is responsible for cyber
security seriously and expect the whole demonstrates the Board’s engagement
– at both a Board level and
business, in all its different functions, with the issue.
operational level?
to do so as well.
As discussed, it’s important that ⚫⚫ Do we have a clear and widely
someone on the Board takes primary understood set of IT and
TALKING POINTS: responsibility for cyber security. This security guidelines? How are
individual should have the appropriate these made available to staff ?

⚫⚫ Do we have any cyber senior IT / security leader reporting to ⚫⚫ Is there a clear, 24 / 7


certifications? Would it benefit them, providing updates on a regular escalation process and has this
the business to obtain one? basis. ever been tested?

⚫⚫ Are we following technical best ⚫⚫ Do staff receive cyber training?


But who within IT or security should
practice? How often is this refreshed /
be the lead? We strongly recommend
⚫⚫ Are we embedding a wider revisited?
taking the responsibility for cyber
‘people, technology and
security away from the CIO, whose
processes’ approach and taking
role may be too broad and strategic.
a holistic view?
Instead, we suggest that a security
⚫⚫ Are we, as a Board, doing specialist – a CISO or CSO – report
enough to communicate and specifically on security issues to the
champion the importance of Board.
cyber?
CYBER SECURITY IN THE BOARDROOM 13

GERRY DIQUE
HEAD OF CLIENT TECHNOLOGY
14 CYBER SECURITY IN THE BOARDROOM

3. HOW SHOULD WE COMMUNICATE A CYBER SECURITY BREACH TO THE


MARKET, REGULATORS, CUSTOMERS, MEDIA AND STAFF?

If the worst happens and your EARLY AWARENESS IS CRITICAL A ROBUST COMMUNICATIONS
business suffers a breach, it will STRATEGY WILL BE NEEDED
need to manage both the issue itself The sooner a company identifies
and also the communications that an issue, the quicker it can respond Firms will be ‘rolling the dice’ with
will go out to key audiences such and the more likely it is to be able to the reputation of their brand if
as regulators, shareholders, media, contain it before it escalates. Late communications are poorly judged,
customers and staff. Handling all of awareness, however, means that the ill-timed, or inaccurate.
these simultaneously can be extremely issue could have spread from its initial
challenging. point of entry to more systems. Late Once the communication process has
awareness plays into the hands of begun, your firm will also need to be
But perhaps the first question for attackers. prepared for a stream of follow-up
businesses to consider here is – is "how enquiries and requests for updates. If
quickly would we know if we were Once a breach or incident has been the breach is high profile enough, you
breached?" detected, firms will need to get a should also expect the media to come
technical team involved to help take knocking.
IN THE VERIZON (2019) REPORT, back control or isolate the problem.
MORE THAN HALF OF BREACHES What these teams then communicate It is therefore advisable to map out
TOOK MONTHS TO DISCOVER. to outside parties will have to be a broad communications strategy in
decided upon. Very quickly. advance of any breach, which can
be adjusted according to individual
There is, of course, a requirement circumstances.
under the GDPR to report any breach

56% to the ICO within 72 hours. This


means not only reporting that a breach
has taken place but giving the ICO an
assessment of its extent and severity.
Businesses should consider whether
they are currently set up to do this.
Do you have an internal or external
monitoring and surveillance team
(such as a Security Operations Centre)
to detect suspicious activity or an
attack?
CYBER SECURITY IN THE BOARDROOM 15

HAS THE BOARD DISCUSSED The degree of transparency and


THIS WITH THE HEAD OF openness that businesses provide TALKING POINTS:
COMMUNICATIONS? has become a topic of discussion,
especially in connection to
⚫⚫ Do we have effective systems
Is there a crisis communication plan ransomware attacks.
monitoring in place that will
that can be put into action in the event
quickly alert us to an incident?
of a cyber incident? Given the volume Regulators and information security
of enquiries that may be received, does agencies are concerned that many ⚫⚫ Have we thought through key

the business have sufficient resource companies affected by ransomware communications issues in the

in its communications and customer attacks, in which criminals use event of a breach?

relations teams? It may be that they software to ‘lock up’ data and hold ⚫⚫ As a business, what can we
would need to draw on the services of it hostage until a ransom is paid, learn from past crises?
a communications / PR agency, for cover the incident up and secretly ⚫⚫ What would our approach be
example. agree payments to the attackers in in the event of a ransomware
order to have their systems freed. attack?
An effective communications plan This is obviously bad practice, as it is
can be developed by answering the essentially rewarding the criminals
following questions: and potentially funding future, more

⚫⚫ Who would the core organised attacks.

communications team consist of ?


Aluminium producer Norsk Hydro
⚫⚫ How frequently would they liaise
gained plaudits for its response to a
with the Board and via what
2019 ransomware attack, refusing
channels?
to pay the attackers that held their
⚫⚫ Who would be the main systems hostage. It took the company
spokesperson for the business? months to recover and repair systems,
at a cost of tens of millions of pounds
⚫⚫ Would they be available for
in lost productivity and revenue. But
interviews?
at least they didn’t pay the ransom and
⚫⚫ What would the main channels contribute to the cycle of cyber crime.
of communication be for each
audience, such as customers and
the media?
16 CYBER SECURITY IN THE BOARDROOM

4. CAN WE BE CONFIDENT THAT WE HAVE THE NECESSARY CONTINUITY PLANS IN PLACE


TO KEEP THE BUSINESS RUNNING IF WE SUFFER A MAJOR CYBER INCIDENT?

In many ways, this is the most COMPANIES SHOULDN’T You should also consider whether any
technical question on our list, the FORGET THAT THEY MUST ALSO advisors or third-party specialists are
answer to which will depend on the CONSIDER PHYSICAL SECURITY needed to support. An objective and
nature and severity of the incident. ISSUES AS WELL AS CYBER ONES. experienced pair of eyes can be an
invaluable resource in the heat of an
If it is a ‘denial of service attack’, for In the event of an incident, you may incident. Are there any retainers or
example, crippling a business’ website want to control or shut down access to contractual arrangements in place?
or IT systems by overloading the certain buildings or parts of buildings.
system with false data, your business Think about security pass and access There is also the question of cyber
will need to have back-up systems and issues – how quickly could your teams insurance, which has become
processes in place to get back online. remove or change access permissions increasingly common in recent years
and what would be the process for as the cyber threat has grown. Dealing
Firms will need to build a clear doing this? with an incident can be a costly
map that shows which systems or process – so knowing your firm has
applications are critical to the running It is difficult, of course, to truly think insurance cover available can provide
of business functions. Prioritise these through all the ramifications of an peace of mind and help the business
in order of importance and then incident when it remains an abstract meet additional costs.
consider what contingencies could concept.  
be activated if they were disabled or
breached. MANY BUSINESSES FIND IT TALKING POINTS:
HIGHLY USEFUL TO CARRY
Think, as well, about how these OUT SIMULATION EXERCISES ⚫⚫ What back-up systems and
systems are protected. What firewalls OR ‘WAR GAMES’. THESE MAKE servers do we have?
are in place? What monitoring and AN INCIDENT FEEL ‘REAL’ AND
⚫⚫ Have we identified which
detection systems do you have? Are FLUSH OUT BOTH OPERATIONAL
systems are truly central to the
systems regularly patched and updated AND COMMUNICATION ISSUES,
running of our business?
as required? PROVIDING MANY MORE
⚫⚫ Do we have the protections
OPPORTUNITIES FOR LEARNING
and firewalls in place that we
It may also be useful, as we referred to THAN THE PURELY THEORETICAL
need?
above, to overlay your cyber security APPROACH.
thinking with any general business ⚫⚫ When did we last run a

continuity / disaster planning that These simulations may also help simulation exercise?

already exists. Are there elements that to highlight resourcing issues. In a


are common to both? crisis, would your business have the
staff needed to support out-of-hours
communications.
CYBER SECURITY IN THE BOARDROOM 17

STEPHEN HEAD
SENIOR PARTNER
CYBER SECURITY PRACTICE
18 CYBER SECURITY IN THE BOARDROOM

5. WHAT IS THE NATURE OF THE THREAT LANDSCAPE


AND WHAT ARE WE DOING TO UNDERSTAND IT?

You can only really understand the INSIDERS: After understanding the possible
nature of the potential cyber threats sources of attack, you will want to
you face if you understand who is likely These are often an underestimated consider what information and which
to attack you and why. What would threat. With access to systems and systems each of these attackers would
they be after? passwords within the business, they be most likely to target. To answer this,
may have exactly what they need to businesses will need to create a map
As we touched on earlier, there are a cause significant damage. Insiders of their systems and IT architecture
number of different possible attackers could be malicious – perhaps they may as well as their critical IP and data
out there, all with slightly different be seeking revenge for dismissal or repositories. Once this is complete,
methods, motivations and goals. feeling under-appreciated – or cause they can consider what defences are
damage by accident or carelessness. in place and whether they need to be
ORGANISED GANGS: For example, staff may unwittingly strengthened.
click on a phishing email link or reveal
These are likely to send out blanket a password. Education and awareness DETERMINING WHAT NORMAL
malware attacks hoping for a small are therefore critical to mitigating the LOOKS LIKE, IN TERMS OF
percentage of hits that will allow them insider threat. DATA AND INFORMATION
to obtain data that can be sold on the FLOWS, WILL ENABLE FIRMS
dark web. They may also attempt to NATION STATES: TO DETECT UNUSUAL ACTIVITY
extort ransom payments for stolen or OR TRIGGERS FOR ACTION.
frozen data. There have been allegations that EFFECTIVE MONITORING IS A
countries with opposing interests KEY REQUIREMENT FOR CYBER
MALICIOUS INDIVIDUALS: either fund or organise attacks – SECURITY.
sometimes to gain IP from the rival
These are also likely to send out powers, sometimes simply to cause Boards should also consider questions
blanket attacks but are more often disruption. around IT security. For example, what
motivated by the ‘thrill’ of causing firewalls are in place? Are systems
disruption and the sense of power it COMPETITORS: regularly updated and software patches
brings rather than by financial gain. applied? How are systems designed
When unscrupulous competitors to contain a hostile action or systems
attack, the primary motivation is likely failure?
to steal IP, addresses and competitive
information. They could also be after
physical assets – written documents
or audio recordings of phone calls, for
example.
CYBER SECURITY IN THE BOARDROOM 19

Access is another key issue, especially As well as permanent staff, businesses


TALKING POINTS:
for staff and ex-staff. This requires also need to think about contractors
a mapping out of the password and and third parties. The same questions
access protocols are that in place. apply here: are they only given the ⚫⚫ Do we understand who the
Do individuals only have access to access rights that they actually need? main threats to our business
information they actually need? Are Who is monitoring and reviewing are likely to be?
there any blanket authorisations in this? When a contract or project ends, ⚫⚫ What are they likely to be after
place for certain information that are access rights promptly cancelled? – and how are we protecting it?
may need to be made more specific? In addition, are the necessary non-
⚫⚫ Do we have sufficiently robust
Who reviews access rights within the disclosure provisions being put in
access protocols in place?
business and how often? place to prevent third parties from
⚫⚫ Does this cover leavers and
passing IP or competitive information
also contractors / third parties?
CRUCIALLY, FIRMS NEED TO to rivals or other external parties?
LOOK AT WHAT PROCESSES
ARE IN PLACE TO DISABLE It is only by truly understanding the
PASSWORDS AND CANCEL threat landscape – and keeping that
SYSTEMS ACCESS WHEN A STAFF understanding as current as possible
MEMBER LEAVES THE BUSINESS. – that you can properly protect your
business.
It is not uncommon for businesses to
be surprisingly haphazard in this area. This knowledge is not a ‘nice-to-have’.
Failure to cancel access promptly is a It is a core component of a robust
completely avoidable risk. cyber defence strategy.


20 CYBER SECURITY IN THE BOARDROOM

TAKE
ACTION
NOW
NO BUSINESS HAS
CYBER SECURITY
ENTIRELY ‘WORKED
OUT’.

CYBER SECURITY STRATEGY


SHOULD BE AN ONGOING
PROJECT, AS FIRMS WILL
NEED TO ADAPT AND EVOLVE
ALONGSIDE THE THREAT
LANDSCAPE AND THE
EMERGING TECHNOLOGIES
THAT WE ARE ALL TAKING FOR
GRANTED.
CYBER SECURITY IN THE BOARDROOM 21

CASE STUDY

TO MAKE SURE THIS BECOMES It may also be appropriate to consider A publicly quoted business lost control of

A PART OF DAILY LIFE, SENIOR whether your business is sufficiently one of its critical payment websites during

SPONSORSHIP IS REQUIRED. equipped to respond to and recover a major marketing event. This was only
signalled to the CEO when the outage was
It is important that those sitting at from a potential incident. This could
shared on social media. We subsequently
Board level are fully engaged with the include contracting third party
learnt that staff had been dealing with
issue and understand the importance specialist support and expertise. Such
technical issues prior to the event, without
of getting it right. Once a Board level third parties can help you review and
escalating them to the Board. The timing
representative has been identified, strengthen defences, as well as support
of the outage suggested a hostile attack,
businesses will need to ensure if an issue takes hold.
but after thorough investigation, this was
that cyber is clearly owned at an excluded.
operational level as well. Cyber security is a difficult issue to
face. The combination of technical Working with the senior leadership team,
GOOD GOVERNANCE IS complexity, unpredictability and we established a crisis response team

CRUCIAL FOR CREATING A constant evolution makes it hard for and provided the necessary structure and

CLEAR, DETAILED STRATEGY FOR anyone to really get a firm grasp on it. meeting discipline throughout the incident,

MANAGING CYBER SECURITY. acting as a source of specialist advice


and helping to ensure effective lines of
A key part of this will be identifying For every attack repelled, there could
communication between stakeholders. We
what data you hold as a business, be a different one around the corner. If
also worked alongside the internal IT team
as well as those who have access to worse comes to worse, a cyber incident
and specialist external support teams to
it. What does ‘secure’ look like with can plunge a business into strange and
manage the analysis of data, assessment of
this in mind? Identifying where the disorientating territory at alarming
various risks and the presentation of facts
potential ‘weak links’ are will hopefully speed.
back to the Board so that a remediation plan
ensure quicker recognition if and when could be agreed and tested.
a breach occurs. A cyber attack or breach can strike at
any time, without warning. The time As a result of this successful crisis
HAVE YOU PROTECTED YOUR for your board to act is now. management, negative press and consumer

MOST CRITICAL ASSETS TO action was limited. Instead, the business

THE BEST OF YOUR ABILITY? could continue to maintain operational

Companies should be investing in and resilience. The root cause of the issue
was identified with only minor impact to
rolling out both employee training and
business processes. In addition, the route
strong encryption to ensure maximum
back to ‘business as usual’ was controlled
security.
and directed in a transparent, risk-assessed
environment. The business was therefore
able to present a clear and informed
decision-making process to the regulators in
its follow-up interview.
22 CYBER SECURITY IN THE BOARDROOM

ABOUT THE AUTHORS

MIKE PECKHAM FRGS, FRSA, MA STEPHEN HEAD


MANAGING PARTNER SENIOR PARTNER, CYBER SECURITY PRACTICE
GADHIA CONSULTANT GADHIA CONSULTANT

Mike is a Managing Partner at Gadhia


Consultants and manages the strategy practice. Stephen is the Senior Partner at Gadhia
Mike has provided consultancy support and Consultants providing specialist advice on cyber
specialist advice to a range of blue-chip clients. As security, strategy and crisis management. Before
an operations specialist he has managed special joining the Gadhia Group, Steve was the Chief
projects across Europe and Africa. Information Security Officer and then Chief
Security Officer at Virgin Money where he was
Mike is a Chairman of the technology firm Airbox responsible for all issues of Cyber and Information
and a member of the Advisory Board to Kina, a Security as well as IP, physical and VIP event
specialist firm providing Environmental, Social security.
and Governance to support businesses across
Africa. He is also an Entrepreneur in Residence Steve was the UK’s first National Policing lead
with the Business School at The University of for Economic Crime and during his thirty-year
Wales, Assistant CEO of the Armed Forces charity policing career, specialised in counter-terrorism
Hire a Hero, and lectures at the MoD’s Defence as well as fraud and other cyber and economic
Academy, Shrivenham. crime. He also created Europe’s first specialist
Intellectual Property Crime Unit and was the
UK’s national liaison officer for the EU on matters
of Fraud and Cyber-enabled Fraud. Steve is a
member of the Global Cyber Alliance’s strategic
advisory committee and works with several
FinTech start-up companies providing specialist
cyber security advice.
CYBER SECURITY IN THE BOARDROOM 23

GERRY DIQUE MATT DRAGE


HEAD OF DIRECTOR OF
CLIENT TECHNOLOGY EXTERNAL ENGAGEMENT

Gerry, who joined Huntswood in 2016, is the Matthew is the Director of External Engagement
Head of Client Technology. He is responsible for for Huntswood, leading the development of
the creation, enhancement and provision of the Huntswood’s external engagement strategy to
technology platforms that underpin Huntswood’s help position and support our brand and services
client services. His focus is on taking the needs within the marketplace.
and challenges of clients into account and
formulating appropriate delivery roadmaps, Matthew has a background in conduct regulation
project plans and end-to-end solutions. and professional services having worked as a
supervisor at the Financial Conduct Authority
Gerry has over 17 years of experience delivering (FCA) and for two of the 'Big 4' advisory firms,
various technology initiatives in the Banking where he led and contributed to work in relation to
and IT Industry. Prior to working at Huntswood, conduct risk.
Gerry worked at a tier 1 bank delivering various
technology solutions in the customer management
and experience space.
24 CYBER SECURITY IN THE BOARDROOM

ABOUT HUNTSWOOD
AND GADHIA CONSULTANTS

We help firms govern, transform and Established by Dame Jayne-Anne


operate their businesses to drive better Gadhia, our consultants know what
WE HELP
outcomes. it means to lead a business; the
CLIENTS GOVERN,
TRANSFORM AND pressures, priorities and problems.
When our clients need support, it OPERATE THEIR
BUSINESSES
almost always involves customer We help board members and senior
considerations, it is often multi- executives to find answers to the most
channel and always requires an difficult questions.
approach that is compliant with
P
regulation. Gadhia Consultants listen carefully to
RO
E
PL

CE
PEO

define the critical question and then,


SS

WE
In our engagement with clients we are, COMBINE working with our clients, we bring
above all else, collaborative and always commercial pragmatism, urgency and
at the forefront in the development of TE
a commitment to succeed in finding
CH N OLO GY
innovative, tailored and transformative the answer.
solutions. These typically combine
AS A PARTNER OF CHOICE FOR
people, processes and technology to
drive better customer, commercial, and
regulatory outcomes. WHEN YOU LEAD A BUSINESS,
RESOURCING SOLUTIONS
YOU NEED PEOPLE AROUND
Our services include resourcing and ADVISORY SERVICES
YOU THAT SHARE YOUR VALUES,
outsourcing solutions, backed up by an WORRY FOR THE BUSINESS
UNDERPINNED BY TECHNOLOGY
expert advisory capability. PLATFORMS AND INNOVATION AND MAKE THINGS HAPPEN.
I ESTABLISHED GADHIA
We have a solid reputation for ACROSS A RANGE OF INDUSTRIES CONSULTANTS TO SHARE THAT
being easy to work with, which has BURDEN AND PROVIDE THE
been earned through continuous OPERATIONAL PRACTICAL SUPPORT THAT
EXCELLENCE BOARDS AND SENIOR TEAMS
improvement and consistency in
exceeding our clients' expectations NEED.
TO COST &

DRIVE
throughout all stages of delivery.
EFFICIENCY

BETTER MITIGATE
OUTCOMES RISK DAME JAYNE-ANNE GADHIA

CUSTOMER
EXPERIENCE
CYBER SECURITY IN THE BOARDROOM 25

GET IN TOUCH
T: 0333 321 7811
E: enquiries@huntswood.com
W: huntswood.com

@Huntswood
Search ‘Huntswood’
26 CYBER SECURITY IN THE BOARDROOM

Huntswood CTC Limited


Abbey Gardens, Abbey Street,
Reading, Berkshire RG1 3BA
0333 321 7811
enquiries@huntswood.com
huntswood.com

@Huntswood
Search ‘Huntswood’

NOTES RELATING TO HUNTSWOOD


This document and its contents are confidential and proprietary to Huntswood or its licensors. No part of this
document may be copied, reproduced or transmitted to any third party in any form without our prior written
consent. Huntswood cannot accept any liability for the information given in this document which is offered as
a general guide only. All Huntswood engagements are subject to a binding contract, fully setting out all terms
and conditions. A full summary of terms and conditions is available on request. Huntswood CTC Ltd trades as
Huntswood, Abbey Gardens, Abbey Street, Reading RG1 3BA, registered company number 03969379.

Das könnte Ihnen auch gefallen