As part of the CBI Cyber Security Conference 2018, Ciaran Martin, CEO of the National Cyber Security Centre hosted a Keynote session. Here are a few key takeaways from his session.
There is a culture shift in business about cyber security and evidence that business leaders are now more focused on cyber security – coupled with a demand for clear and simple guidance.
Most cyber risks can be managed effectively if properly understood and board-level leadership is key to managing this national level risk.
This is because cyber risk is a business risk and needs to be treated as one. Board members have to become technical enough to have the right discussions and that involves understanding the basics of cyber risks and attacks. It’s daunting, but it’s do-able.
Cyber threat affects different businesses in different ways, so they need to frame their defence so it’s appropriate to the threat picture they face.
According to IBM the global average cost of a cyber-attack is £3m. The estimated cost of lost productivity and damage to reputation and trust following the WannaCry ransomware attack is $4bn. So, the threat from cyber crime is not scaremongering.
Despite this, many businesses in the FTSE 350 don’t have the right cyber security standards the right training or have any plans to deal with a cyber security incident. Some of the explanations for this are:
1. Cyber is too complex
2. It’s sophisticated and you can’t stop it, and –
3. Attacks are targeted, so we’re not at risk
These are damaging misconceptions which mean we need to close the knowledge gap between the board and their teams so board members can talk about the risks, ask the right questions and challenge the answers.
Corporate leaders need to become cyber literate and, while acknowledging that their organizations’ core business is the top priority, they need to understand how to protect themselves.
Asking the right five questions
At one time there was an idea that executives just needed good governance. We now know that hasn’t happened to the right extent because unsophisticated cyber-attacks are succeeding again and again and otherwise good employees are still allowing attacks to happen.
Therefore, we are revisiting the support government is giving to companies and launching new advice to help businesses get more technical. So, to plug the current gaps in knowledge we are rolling out five basic questions for businesses to ask:
1. “How do we defend against phishing attacks?”
The business can minimize risk by protecting its email domain; ensuring the server marks external emails as external and gives staff a way to report suspicious emails. And don’t punish people for opening “dodgy” emails; rather focus on what can be done to mitigate the risk.
2. “What can we do to control privileged IT accounts?”
Add extra security to accounts such as the systems administrator’s. If criminals compromise this account, they own your system.
3. “How do we ensure our software/devices are up-to-date?”
What is the patching policy? What devices need patching, when and when do those devices need replacing?
4. “How do we ensure partners and suppliers protect information we give them?”
Assume that partners will be compromised so build in controls to agreements from the start.
5. “What authentication methods allow access to systems?”
Passwords must be remembered so provide secure locations to store them. However, passwords can be a weak method, so set up other controls such as two-factor authentication.
While these are five questions to get started, boards mustn’t be afraid to ask other questions, however basic.
With these approaches we are working towards making the UK one of the safest places to do business online.