Hardly a day goes by without some media coverage that is focused on cyber. Whether is it sensationalist headlines announcing the most recent cyber-attack that has left some unfortunate company red faced and bereft, the outcome of yet another survey generally conducted by an entity selling cyber related goods or services, or the announcement of new regulation and legislation. A front page headline of CITY AM this week screamed "CYBER CRIME WIPES £42BN OFF SHARES". Surely there cannot be a board director left who can deny awareness that cyber-crime poses a threat to his or her business.
Having engaged in the cyber debate for more than a decade, it seems we can at last all agree that the foundation stone is now well in place with widespread, if not universal, acceptance that cyber-crime and cyber risk are real and now an ever present challenge to businesses.
We even seem to have progressed beyond the common acceptance of cyber as a risk to business. The trauma for TalkTalk in October 2015 was played out in the baleful light of the media and the shock of a cyber-attack resulted in an estimated loss to TalkTalk of £60m and 101,000 customers. Since then, the attitudes of boards have shifted with a palpable increase in focus on cyber resilience and the adoption of measures to seek greater protection from cyber-attacks. We will have to see how Wonga fares in the face of a more significant incident than Talk Talk's.
However, the pace of progress in adopting prudent measures to deliver better security and most importantly to prepare for response to an incident remains painfully slow.
The Hiscox 2017 Cyber Readiness Report confirms what we all know in terms of the increase in cyber-attack, with 52 per cent of the 3000 firms surveyed reporting at least one cyber-attack in the previous year. It noted increased spending on cyber-security with budget increases predicted in excess of 5 per cent. Yet more than half of the 3000 firms surveyed, when responding to Hiscox's maturity questionnaire, were categorised as "cyber novices" in their approach to, understanding of, and preparedness to deal with, cyber-risk. The Government Cyber Security Breaches Survey 2016 focused on the FTSE 350 companies and recorded 65 per cent suffering a breach in the preceding year but more alarmingly noted that only 29 per cent had any form of cyber policy and only 10 per cent had formal cyber incident procedures.
The conundrum then is what is causing the log jam? Businesses are clearly acknowledging being the victims of cyber-attacks and we can assume that the acknowledged number of attacks is an under-reporting of the reality. Businesses are happy to agree that cyber is a major risk – the Cyber Security Breaches Survey had 69 per cent confirming that cyber security is a high priority for senior management. Yet more than 70 per cent are not taking basic, inexpensive steps that will significantly improve resilience.
So what should businesses be doing?
1. Stop chasing the silver bullet.
Currently the business world's pavlovian reaction to cyber-risk is to look to buy a plug-in, one size fits all IT solution. Unfortunately, such solutions don't exist. Businesses should abandon the search for a technological panacea for all cyber ailments and broaden their approach to cyber-risk.
2. Make cyber risk a board issue
While boards seem aware of cyber as a risk, they still need to take responsibility for addressing that risk and for driving cyber-resilience as a board sponsored programme.
3. Balance the investment of time, energy and cost
While the Hiscox Report noted increased spending on cyber-security, expenditure on new technology is cited as by far the most common focus of that spending. This underscores the fact that business is still bought into the search for the technical silver bullet. To get more out of their investment of time, energy and money, businesses need to seek an approach where the focus on protection is better balanced with preparation for how to respond to, and mitigate, the effects of an incident. That need not come at additional cost. Equally the investment needs to be spread between technology, human assets, intelligence and effective employee awareness training with an emphasis on changing behaviours as opposed to the completion of tick-box exercises.
4. Treat Cyber-resilience as a multi-disciplinary challenge
It is all too easy and too common to see cyber-resilience characterised as, and made, the sole concern of the IT manager. Anyone who has had to deal with the aftermath of a cyber-attack will attest to the need to have a fully engaged team covering IT, PR, Law and Compliance, Insurance and HR. Policies, plans and training should all be formulated from a multi-disciplinary perspective.
5. Evaluate your assets as a target for cyber-attack
The rather tired quote from Frederick the Great is, "he who defends everything defends nothing". Its relevance to cyber risk is linked to the point above on creating a balanced defence strategy but has more importance when it comes to determining what needs to be defended. Most businesses own a mix of data assets that range from the wholly worthless to crown jewel status. Protecting the worthless is indeed worthless.
6. Draw up or review and revise your Cyber Incident Plans and Policies
When it comes to dealing with a cyber-attack, all too often the victims are learning from scratch with a proverbial gun against their heads. In the same way as business continuity and disaster recovery planning benefits from a plan, cyber resilience can be significantly improved with the adoption of Cyber Incident Plans and cyber play books.
Cyber Policies are good ways of presenting key elements of the business's approach to cyber resilience and showing the staff that the board has endorsed them.
Cyber incidents predominantly start with an element of human error: a phishing scam that an employee falls for may be the source of penetration of your system for a SQL injection; the visiting of insecure sites that unwittingly draws down malware into your system; or the leaving of post it notes on computer screens with passwords noted down for safekeeping. The majority of cyber-attacks are not the brain children of arch fiends or the cyber divisions of the Red Army or PLA. The majority of attacks are conducted by relatively unsophisticated players with relatively unsophisticated technology. The Government Survey, referred to above, expressed the opinion that about 80 per cent of the breaches that their survey identified could have been avoided by the adoption of the "basics of cyber hygiene". The basics start with training the workforce.
In the same way as the chance of evacuating a cruise ship efficiently is prejudiced if you don’t conduct lifeboat drills, the value of plans and policies is materially diminished if they are not practised. . Practice through a simulated attack is also the most efficient way to identify vulnerabilities in your cyber resilience whether through a deficiency in the technical protection assets or a failure in plans and/or the response of human assets.
The advent of cyber specific and cyber relevant regulation
In 2018, despite the Brexit vote, the UK will enact legislation to adopt the Network & Information Security Directive (NIS) and the General Data Protection Regulation (GDPR) will also come into force.
NIS will impose a compliance obligation for essential operators– to be defined by parliament but in general those who provide services essential for the maintenance of social and economic order (banks, credit institutions and financial market infrastructures, healthcare providers, power companies, transportation businesses, water businesses and digital service providers) – to take appropriate and proportionate technical and organisational risk management measures, including measures to prevent and minimise the impact of incidents that affect the security of their networks and information systems. It should be noted that, while the NIS-driven cyber law focuses on essential operators, it is wholly predictable that suppliers to essential operators will be contractually drawn into needing to comply with the law as well.
Transgression will bring sanctions and, while those remain to be set by parliament, the requirement of NIS is that they should be "effective, proportionate and dissuasive".
Very slightly in the footsteps of NIS is the GDPR with its headline grabbing threat of fines up to 4 per cent of annual aggregated global turnover. The GDPR is very much more than a tinkering with existing data protection regulation and it demands close attention and focused structural change programmes to be implemented for most businesses to achieve compliance. GDPR will come into effect in May 2018. It will be a significant challenge for businesses to assess the change requirements and implement them in time.
Addressing GDPR without taking NIS into account and vice versa is a costly mistake and is to be avoided at all costs. While NIS focuses on networks and information systems and the GDPR focuses on data, the strong likelihood is that a cyber-attack will bring both elements into play.
Simon Shooter, Partner Bird & Bird LLP
Image Credit: Maksim Kabakou / Shutterstock