As part of the CBI Cyber Security Conference 2018, experts hosted a future looking session to “examine the latest threat intelligence and emerging risks for businesses in the cyber security landscape”. The panel considered what threat and risk issues boards need to be addressing and planning for, the impact of new technologies and key lessons learnt from 2018.
What are the biggest issues in cyber security today?
James Hatch, Director of Cyber Services – BAE Systems Applied Intelligence:
Why are cyber-attacks so attractive [to criminals]? The more the world runs on digital technology the more achieving their aims becomes ever greater. Digital technologies are as available to attackers as much as they are there to help the economy – and it’s much cheaper to attack than defend. Today, most organizations are still struggling with the basics.
Andrew Try, Managing Director – ComXo:
Vast money is being put into prevention but less into preparation for when [a cyber-attack] occurs and some companies don’t realize what a worst case scenario could be.
Les Anderson, Global Chief Security Officer – BT:
For me the top three worries are: Insider threat – we are large oranization with over 100,000 employees who can inadvertently cause risk and so need education. Second, supply chain risk: we’re only as strong as our weakest link but working in partnership they understand what our standards are. Third, attack: this comes at BT in many forms – nation states, terrorists. So, ensuring we have a layer of defence measures and intelligence about what’s happening is important.
Professor Angela Sasse, Professor of Human-Centred Technology, UCL:
Staff are the biggest asset and the last line of defence [in cyber security]. The biggest thing is for organizations to stop fighting on the inside; blaming staff and doing security in an adversarial way. It’s all about trust, collaboration, good communications and making it easy for people to do right thing. So, encourage staff to be vigilant and report, including when they either don’t understand or don’t know what to do. There is a big skills change that needs to happen and the sooner organizations start, the sooner they’ll be in a better position.
James Dalton, Director of General Insurance Policy – Association of British Insurers:
The cyber threat is increasing and we’re seeing a larger number of claims. GDPR has increased uptake of cyber insurance and has helped understanding in the market. However, insurers are concerned about the issue of group litigation orders – consumers filing claims for loss of data without material loss. Being sued for causing distress under a group litigation order should worry businesses.
What do you do when business leaders won’t admit they have a culture of blame?
AS: Culture is key: telling employees to do one thing while leadership thinks they’re too important to bother with rules – you can’t have that. Never give an order that can’t be obeyed and a good start is having fewer policies or guiding principles that everyone follows. Get health and safety people involved; they’re trained to see when rules are not followed and, if something’s not working, to fix it. At the moment [in cyber] it doesn’t happen until there’s an incident.
JH: Many organizations are driven by headlines, such as the interest in ransomware following WannaCry. The [real] risk is what matters to that business, e.g. customer trust, effective operations, etc. There is a blame culture across the cyber security industry and organizations need to work together to make security more collaborative. Then there is a better chance of defending society rather than just our own networks.
JD: Culture is important – making sure boards taking ownership and put risk mitigation in place. Getting businesses to understand and manage risk is a massive issue for us.
What is the motivation for cyber-attacks and what are the greatest threats to the economy in the medium term?
LA: In our experience attackers are: serious criminals trying to make money, going after our data or knocking out our services; terrorists wanting to inflict damage or Hackerists, for example trying to take out BT Sport. We need to understand the attacker’s mind-set and their motivation. We can’t leave this to Government to understand the next wave of malware.
JH: Their motivation is stealing, spying, disrupting. Risk has two elements: high profile disaster scenarios and, also, a drip-drip of mid-lower level attacks.
Where does risk assessment need to go?
LA: We have eight key risk areas with experts managing the risks. And in conversations with the board we tell real cyber stories based on data to illuminate the conversation. This informs policy and modernization, along with watching what’s happening in the market. Also planning and exercises are key. We run “Black Swans” after any incident, for example following the recent BA data breach. A business needs to have playbooks practised and available while controlling the media message as much as you can.
AT: There’s a woeful lack at board level to practise complete outages or loss of data. Boards need to raise awareness that these attacks can come from anywhere.
Do companies taking out cyber insurance understand the liabilities they have?
JD: No – cyber is going to be the first insurance product that is a service offering, not just settlement of a claim; it’s more about stopping further breaches happening, helping mitigate loss of data, getting lawyers involved and PR people to help minimize reputation damage. Cyber insurance is not like car or building insurance and we need to help boards understand what they’re buying.
What step changes are coming in risk?
LA: Encryption is a difficult nut to crack. But we need to know what to do to protect precious data generated by the Internet of Things such as fridges and cars as data platforms.
AT: Identity, i.e. knowing who is who. For example, Google is making phone calls like a human being. Imagine that on a robotic scale… are you going to give away your details?