Cybersecurity: resilience in a changed world
'It's when, not if'
As we adopt new ways of working, socialising, shopping and learning, the role technology plays in our lives is massively increasing.
Last week FTI Consulting and RPC offered a free webinar with a group of industry experts to discuss how corporate leaders can achieve cybersecurity resilience.
Which means the ‘attack surface’ – the range of opportunities for cyber attackers – is also growing.
For most organisations, it’s not a case of if you’ll be targeted, but when, a view unanimously expressed by the panel on RPC and FTI Consulting’s webinar, Cybersecurity: resilience in a changed world, on Thursday 17 September. And supported by CLL, bringing this top level issue to our audience.
The event was chaired by Joan Purvis, Head of Rights at BBC World Service Group and Chair of the Law Society's Tech Committee, who was joined by experts in the cybersecurity field. They included Richard Breavington, Partner at RPC and head of its Cyber & Tech Insurance team, Joshua Burch and Paul Reilly, Senior Managing Director and Managing Director respectively at FTI Consulting and Rebecca Lucas, Research Analyst at UK defence and security think tank, RUSI (Royal United Services Institute).
Key cybersecurity threatsAsked what cyberthreats corporate leaders should be most concerned about, the panel pointed to ransomware as the major and evolving threat today. However, organisations should also be alert to a range of other threats from disaffected or anxious employees, a resurgence of denial of service (DoS) attacks and vulnerabilities in their supply chains.
SMEs who feel they’re not significant enough to be targeted should also think again. Increasingly, attackers see smaller businesses as an easy, unsuspecting entry point in a supply chain to a bigger and more lucrative target.
Communicating with stakeholdersWhile cybersecurity attacks are, by definition, technological, it’s important to understand the human behaviours and motivations behind them. This helps to spot a potential attack and identify some of the more common human errors that open the door to them. Getting people across your organisation to develop their ‘smell test’ is vital. Rebecca shared an example of an organisation that circulated a spoof phishing email to test its employees. Those that fell for it were subjected to two hours of intense – and reportedly tedious – cybersecurity awareness training. Few fell for the trick a second time. The message here is that everyone in an organisation has a role in keeping would-be attackers at bay. At the same time, organisations must be crystal clear about who owns cybersecurity and empower that person to lead.
It’s also important to identify and document precisely what your business’s IT ‘crown jewels’ are. Without this focus, resources committed to cybersecurity could be misplaced.
In terms of external communications, rapid and decisive action is essential. Among businesses that fall victim to cyber-attacks, share values drop by an average 7.3%. That figure halves for business that communicate clearly and apologise early. Drops in revenues follow a similar trend.
Director’s and Officer’s responsibilitiesIn tough economic times, businesses tend to get more litigious as they seek recompense for adverse activity. This can put the decisions, actions and omissions of directors and officers under scrutiny. Senior individuals can in some circumstances be held responsible mismanagement, including of cyber-related issues. Similarly, the FCA (Financial Conduct Authority) has increased its capacity to ask detailed questions about vulnerability to cyberattacks – and understand the answers.
Another key consideration for directors and officers is their legal requirement under the GDPR to report a notifiable breach of personal data security to the ICO (Information Commissioner’s Office) ‘… without undue delay, but not later than 72 hours after becoming aware of it…’
Joan concluded the hour-long webinar with a selection of questions from attendees. In answering these, the panel reiterated the importance of developing a security culture throughout your entire organisation, communicating it well and being aware that hackers are not all hooded teenagers in bedrooms. They range from nation states and organised crime groups to hacktivists and disaffected employees.