Organisations of all sizes are failing to recognise cybersecurity as a serious issue and are missing vital opportunities to take a proactive approach in the face of significant online threats. The bad news is that no one is immune from cyber-attacks, and it has never been more important to appreciate the damaging effect of failing to prepare on a company’s finances, reputation and legal position.
Consider the threats that boards should be aware of. A recent Ponemon Institute study highlighted that the cyber-attacks of most concern to respondents were: advanced malware; advanced persistent threats, otherwise known as a stealthy computer network attack; and DNS-based data exfiltration, or the unauthorised transfer of data from a computer.
If you’ve never heard of any or all of the above, now is the time to start genning up on your terminology and knowledge of the area. While almost everyone recognises the importance of having strong cybersecurity systems, there is mixed understanding, particularly at board level, as to how weak processes can affect business.
To put this in context, in 2018 alone the average cost of cybercrime in the UK ranged from £894 for microbusinesses, up to £8,180 for SMEs and around £9,260 for large companies. However, there’s more to this than simply a price tag. PwC’s Global State of Information Security Survey 2017 offers some alarming food for thought, including:
- 18% of UK organisations don’t know how many cyber-attacks they suffered last year.
- Nearly eight in 10 companies experienced down-time due to security incidents.
- The average number of security incidents faced by UK companies increased by 23% to 5,792.
- Only 28% of UK boards are involved in setting a security strategy.
- Current employees are the top insider risk, but this is increasingly including business partners and the supply chain.
Add to this the difficulties faced by other victims, such as Dublin’s light rail system’s website, Luas, which ground to a halt while hackers demanded one Bitcoin in ransom. Then there’s the hotel chain Marriott International, which was recently forced to report that “fewer” than 383 million customer records were stolen in a massive cyber-attack, including the theft of 25.55 million passport numbers. This is all a drop in the ocean and gives just a taste of the scale of problems facing boards and their organisations at the present time. So, how should boards approach this vast landscape of challenges?
Education and preparation
Board members must have an unobstructed and detailed view of what the impact will be if customers’ data is lost or stolen, and understand who will take the lead in the face of an attack that interrupts or halts service as normal.
They should also be prepared to lead long-term strategic planning to protect organisational operations against an ever-evolving threat. Well-run businesses not only need to prioritise security at senior team meetings, they must also insist that all of their front-line employees do the same.
Cybersecurity cannot be solved by simply buying in more technology to patch problems. It is about taking a strategic approach to budget allocation that delivers genuine improvements in security and protection. The ideal organisational culture sees managers and staff taking a second-nature approach to keeping information safe and viewing security as a positive force. This requires a checklist that boards can become familiar with and adhere to as part of their regular order of business.
If the organisation falls victim to cybercrime it is vital to act quickly. First, ensure that the incident is contained while the business continues to operate. Then, prepare to notify all relevant stakeholders, including insurers, regulators, lawyers, the police and clients. Training is also important to prepare board members for “what if?” scenarios and a clear pathway of roles and responsibilities in case of a cyber-attack.
Explore where the source of a threat may come from and ask who might have an interest in compromising confidential information and infrastructure. How would the organisation respond to its networks being compromised or customers being unable to access online services? These issues should become a standing agenda item at board meetings, if only to confirm that no changes are needed since the previous review.
The threat landscape moves quickly and, while it may be unrealistic to ask executives to follow the details of what is happening, they can encourage IT managers or the chief operating officer to join external organisations and forums where information and good practice is shared. This can also serve to feedback and provide regular updates that are specifically prepared for the executive. If the organisation then suffers a cyber-attack, the practical response of the board will be to activate the relevant sections of the policy they have helped develop.
A chair who has a detailed and accurate picture of their organisation’s information asset has an appreciation of where the threat might come from. They have also prepared, with colleagues, a mitigation plan and so are in the best possible position to activate the necessary actions.
These include being briefed about the scale of the attack and the information that has been compromised. What size and kind of data has been impacted? Who is affected? What infrastructure has been compromised? How might this stop customers from accessing online services or the company from paying its suppliers? What has been done to avoid such attacks, and how will these be avoided in the future?
A cybersecurity checklist
To help boards prepare for all of the above, consider the following steps:
- Educate employees It’s essential that everyone, from the board through to back-office employees are trained in your company’s security policies and updated on new protocols frequently. Ensure each individual is informed and understands the consequences of not following security policies. Executives should have a pretty good idea about the nature and travel itineraries of their data and information. They should similarly be focused on how to protect their key information assets and associated network infrastructure. Mitigation against any unauthorised access to—and malicious manipulation of—these assets should be a top priority for boards.
- Plan for personal devices The spread of remote employees working on their own devices means security measures need to be put in place. Ensure a layered approach such as device authentication, data encryption and the ability to remotely wipe data if a device is lost or stolen.
- Employ a firewall One of the first lines of defence against a cyber-attack is an external-facing firewall. Many companies are also installing internal firewalls for additional protection. Employees working from home should install a firewall on their personal network.
- Back up data Having a backup procedure should be a crucial part of your cybersecurity culture. It is also important to check that your backup is safe as cybercriminals can target this as well. Remember, failing to protect essential documentation and data can threaten your business to its core.
- Employ anti-malware software Phishing attacks can install malware on an employee’s computer when an offending link is clicked. Have anti-malware software installed on all devices and the network to protect against this.
- Document cybersecurity policies Cybersecurity policies and protocols should be documented and supported by staff training, checklists and information specifically to protect businesses. This is not just for those at the business delivery level and should include the senior team. Given the financial and reputational risks associated with cyber-attacks, board members should have a detailed picture to hand of what the impact would be of, for example, a data breach on the organisation’s reputation. A key question that needs to be answered is how the company would respond to its networks being compromised or customers not being able to access online services.
- Use safe password protocols If users think of ‘passphrases’ the annoyance of having to frequently change a password can be easily overcome. ‘The Boy Stood On The Burning Deck’ is a much stronger password than “QX!”:143”, even though it only contains letters. Increasing the number of characters in a password dramatically improves security and makes brute-force attacks far more difficult for hackers.
- Don’t forget mobiles It’s essential that company employees set up automatic security updates and require that the company’s password policy applies to any mobile devices accessing the network. In addition, while it’s tempting to connect to public Wi-Fi, attackers can intercept your traffic over an unencrypted network. Never send sensitive information such as passwords over public Wi-Fi or carry out internet banking transactions.
Remember: lack of preparedness can lead to disastrous consequences on share value, reputation, staffing and financial health. While online threats will continue to evolve, the good news is that as long you treat cybersecurity as a primary part of your business strategy, so will the ways we combat them.
Professor Kamal Bechkoum is head of the school of business and technology at the University of Gloucestershire.