The media loves cyber-security. Hardly a day goes by without a story of a major data breach, a denial of service or defacement of a corporate website, or of yet another cyber-fraud or extortion attack.
The figures seem spectacular: 40m payment card details stolen from a single retailer; 80m people have their personal details compromised in an attack on a life assurance firm; a major US bank is compromised; and even the US government seems to find it difficult to repel the attackers.
While there is much hype around cyber-attack, the reality is that our world is becoming ever-more digital and, unsurprisingly, criminals follow the money. The global reach of the internet allows them to carry out attacks from countries that are out of reach of law enforcement. This is before you consider espionage or “hacktivism”.
Boards and audit committees need to take cyber-security seriously. The challenge is how to make sense of this topic?
Making sense of cyber-security
The reality is that while the technology of cyber-security may be complex, the underlying concepts are less so. Non-executives shouldn’t be afraid to ask straightforward questions of their IT and security teams, and should demand they receive answers in a form they can challenge and test.
These questions will be asked of your organisation either now or in the future by investors, regulators and customers. As non-executives you have the opportunity to examine the organisation’s cyber-security needs and integrate them into the way your firm manages risk.
It is too easy to see cyber-security as a technical issue, but it is really about the threat to the business and the risks arising. Invest time to understand how that threat might impact your firm’s operations. Are you confident that the business has thought through possible cyber-attack scenarios? Do they understand which information assets and business processes might be at risk? And have they taken steps to ensure the security of your most sensitive systems and data?
Getting the basics of cyber-security right matters. There are a series of steps any organisation should take. In the UK, the government calls these Cyber Essentials. They include: firewalls between the internet and your firm’s network to keep hackers out; making sure your systems are securely configured; patches from vendors are applied and anti-virus software is kept up to date. It also includes making sure that employees only have access to the systems and information they need to do their job.
You should expect to see evidence that these essentials are in place, kept up to date and tested regularly. You should also expect your major suppliers to do the same. Business-to-business network connections are increasingly being used by hackers.
These essentials will prevent a significant number of attacks—but there is no absolute cyber-security, in the same way that there is no absolute physical security. A determined and well-resourced attacker will penetrate your firm’s security defences, which makes it important to be able to detect and respond to cyber-attacks, not just to protect against those attacks.
Many firms are now investing in sophisticated security monitoring systems that look for patterns of activity, which might be malicious or, at the very least, unusual.
Those at the highest risk are drawing on cyber-intelligence provided by governments and specialist security firms to help them keep track of what hackers are targeting and the attack tools they are developing.
You should expect to see evidence that you are up to date with this threat, and able to provide clear management information on how the changing threat impacts your firm, as well as your vulnerability to such attacks. This is essentially keeping your risk-management strategy up to date.
Most importantly, your firm needs to be ready to respond if an attack occurs. That means ensuring your incident management processes, or business continuity plan, also considers cyber-attacks.
These attacks often force business continuity and security teams to think very differently. They can unfold extremely quickly, often requiring specialist response capabilities. In the worst cases they can attract a surprising level of media and customer attention.
Have you been involved in a cyber exercise, and are you confident that your board is ready to respond? The above provides a framework for you to challenge how your board has dealt with the cyber threat and how they would respond in the event of a breach. The role of the non-executive is to provide challenge and support—cyber-security should be no different.
George Quigley is a partner, and Susie Sharawi is a manager, in KPMG’s cyber-security practice.