The consequences of a cyber attack for any organisation can be significant. In addition to potentially lost revenue and productivity while the breach is dealt with, there can also be substantial financial penalties incurred from failing to meet regulatory standards, and further costs in compensating affected customers or clients whose data may have been compromised.
In an increasingly digitised society, against the backdrop of the coronavirus pandemic and subsequent homeworking boom, cyber security has shot up many businesses’ agendas. As more and more companies move their products and services online, they have to be mindful of the new and evolving threat landscapes they are entering.
While in an ideal world companies would simply avoid being hacked, there can be no guarantees in cyberspace. A company might do everything right in terms of investing in the right technologies and regular self-audits, but still fall foul of a sophisticated hack. In fact, it is wise to assume that it will.
This isn’t to say that companies should be defeatist. But it is healthy to apply Murphy’s Law: if something can go wrong, it will go wrong. In doing so, companies prepare themselves for the worst. Firms should still do their utmost to reduce the risk of a hack, of course, but in the event that one does happen, they need to be prepared.
The fallout of failing to be prepared has effects that stretch far beyond financial costs. The impact of bad publicity is hard to quantify, and a poorly handled breach can have a long-term effect on how a company is perceived by customers or potential investors for many years after the event has happened.
At a recent online round-table event, hosted by the New Statesman and sponsored by technology company BlackBerry, industry experts gathered to discuss cyber security strategy going forward. A holistic approach, the attendees agreed, was needed – one that blended technical provision, staff training, media handling, and recovery planning.
Cyber security is no longer the preserve of the IT department alone, noted Deborah Petterson, deputy director for private sector critical national infrastructure at the National Cyber Security Centre (NCSC). Rather, she said, it had become a “team sport” that required the involvement and engagement of all levels of a business. Rob Elsey, the chief information officer and executive director for technology at the Bank of England, concurred that only through a “collaborative mindset” that brought together stakeholders “both inside and outside” an organisation could companies hope to deal with a cyber breach effectively.
Timing, Elsey explained, is a key component of cyber security. Planning pays dividends and avoids having to think up positions on the fly. “It’s that rehearsal piece,” he said. “We have lots of genuine cyber attacks against our organisation on a weekly, monthly basis. It’s not a kind of ‘break glass, fire alarm [situation]’. We actually get to practice. And I think it’s really important to use [strategies] in addition to tabletop [planning], in addition to war-gaming, to really understand what you would do when you find yourself in that situation. What would be your press coverage? What are the values of your organisation? How transparent are you going to have to be? How quickly are you going to come out? Make sure all of those things have been pre-agreed up front because it means when you do have a major issue you’re not worrying about what position, what stance you should take, and you almost work through it.”
In the event of a breach, companies should resist the urge to go “off-piste”, warned Matt Hawley, head of cyber security at Nationwide Building Society. He said that having a set routine or “playbook” to follow would help firms to navigate uncertain times. “Test, test, test,” he said. “If you’ve tested your position already, you’ve got to remain calm and confident that what you’ve done previously will get you through what you don’t know at the moment.”
Roger Sels, BlackBerry’s vice president for solutions, EMEA, spoke about the need for organisations to carry out “continuous” testing on their IT systems. “I think that approach of saying not only let’s assume a breach [could happen], but really going and proactively hunting for it is useful.” Regular assessments, Sels explained, make it easier to spot discrepancies.
He also noted the importance of supply chain security and the need for all technologies and networks to be “secure by design”. Indeed, there have been several high-profile examples of companies suffering cyber breaches due to hostile actors gaining access to their networks via third parties. Last year, the US technology firm SolarWinds fell victim to one such attack, with hackers embedding a malicious code into its software. The software, Orion, is widely used across many different sectors, including 425 of the Fortune 500 and both the US and UK governments. The attack, widely attributed to nation state hackers, was delivered through a routine software update, which customers unknowingly installed, giving attackers direct access to their networks and data.
To guard against “back doors” being exploited, Sels said that companies must carry out extensive checks on their supply chains, requiring all third parties to meet certain security standards, which are revised on a regular basis. “What’s interesting there for me is that everything is interconnected, and [yet] we have less and less visibility of the security of these third parties, and let alone of their [own] supply chains,” he said. “So I think before moving critical data to any of these parties, it is quite important to run a compromise assessment to move beyond [just] paper-based testing.”
If a company does suffer a cyber breach, said Richard Horne, PwC’s cyber security chair and risk and quality partner, then its response should be shaped by some perspective. Rather than focusing on their own bottom line, he suggested, organisations should offer “empathy” in their communications strategy. “One of the challenges, when they’ve been breached, particularly when personal data has been taken,” he said, “is that the organisation that’s been breached acts like the victim. But, actually, many of their stakeholders will see them as culpable.”
Horne said that companies had to “step out of their own emotions” in order to get customers back on side, and be willing to return in the future. But while it is important to empathise with customers and clients who may have lost data, however, it is also important to be realistic in managing their expectations of recovery. Hawley noted that companies can’t afford to “over-promise and under-deliver”.
The round-table attendees agreed that a culture of blame or shame was an unhelpful strategy in dealing with a cyber incident. Responsibility is collective, but any successful cyber security plan does also rely on effective delegation. “That’s why you have a PR person, and that’s why you have a lawyer on the team,” said Terry Willis, the head of technology at the Church of England. “Between them, they can come up with enough information that’s not going to come back and trip you up later with an authority, but that [specialist knowledge] also gives you enough confidence that you’re actually in control of the situation.”
Ultimately, technologists need to be supported with the right budgets and technologies to do their jobs to the best of their ability, explained Elsey. Specialists are worth the investment to get bespoke, expert responses when complex breaches do happen. And demystification through communication, both internally and externally, is crucial to reducing panic and providing reassurance. “Clearly you need to maintain the investment [in cyber security],” said Elsey. “You need to manage that fear with complacency. You can’t be too panicked but you must always be alert. You want to acknowledge that [cyber security] is an incredibly fast-changing landscape.”