Cyber attacks targeted at the UK are once again in the news. The director of the government’s communications intelligence agency, GCHQ, Iain Lobban, reported in The Times (31 October 2011) this week that the country has been subject to a “disturbing” number of cyber threats. However, Mr Lobban observes in his report that the challenges faced by cyber security are “not for the government alone”.
Since the government announced this time last year that it had allocated £650 million to cyber security and resilience as part of its Strategic Defence and Security Review, it has started to endorse a collaborative approach between the public and private sectors to cyber security. Although the government is keen to demonstrate that the issue is a top priority, it has acknowledged that it can’t manage the challenges posed by cyber threats single-handed – not least because the majority of providers of Critical National Infrastructure (CNI), such as energy, water, finance, transport and telecommunications, are in the private sector. The foreign secretary William Hague will host a two-day conference on cyber security in London this week, to advance the dialogue with the business community in that respect.
As a consequence, the government has highlighted to the private sector what it has to lose (and in fact has already lost) in playing down the importance of cyber security. Last week, Major General Jonathan Shaw, head of the Ministry of Defence’s cyber security programme, told the Daily Telegraph (24 October 2011) that hacking by foreign governments and organisations had already cost the UK economy £27 billion and that “the biggest threat to this country by cyber is not military, it is economic”. Mr Lobban reinforced this view in his report, stating that the theft of British ideas and designs in the IT, technology, defence, engineering and energy sectors “doesn’t just cost the companies concerned; it represents an attack on the UK’s continuing economic wellbeing”. In other words, there seems to be an overwhelming opportunity for continued public private partnerships in this sector, as well as reciprocal arrangements between the defence and non-defence sectors to counter this threat.
So what can businesses do to safeguard their economic interests? Chatham House, a leading independent think tank on international affairs, has made a number of recommendations for businesses in its report entitled Cyber Security and the UK’s Critical National Infrastructure which it published last month. While the report is primarily aimed at corporations active in CNI sectors, it is also essential reading material for any board member. In particular, examples of good, improving and poor cyber security practice are explored in pages 23 to 26 of the report.
Below, we highlight and comment upon some of the key recommendations from the report and some practical suggestions for board members to enhance an organisation’s resilience to cyber threats.
- Vulnerabilities: Senior management need to acquire (if they haven’t done so already) a good understanding of the vulnerabilities and dependencies of their business, and the implications for budgets and reputation management that they may entail. First, examine the dependencies of your business and consider, in particular, those that may be ‘hidden’ in the other businesses on which it depends (as well as any ongoing chains of supply). Identify both existing and emerging risks.
- Risk Assessment and Response: Once you have a better understanding of your business’ and its suppliers’ vulnerabilities, look at the processes and mechanisms that are already in place to asses the risks posed by cyber attacks and to respond to such attacks if and when they occur, and consider how they work in practice. If there is a disparity between policy and practice, one or the other must change. If appropriate, consider engaging a penetration (PEN) or vulnerability testing consultant to stress-test and evaluate your IT security measures. Such a consultant can also propose a number of options to repair any gaps or improve security in line with your requirements. Assess the adequacy of the response measures and contingency plans you have in place to cope when any element of the chain of dependency fails.
- Investment: Cyber security is often under-funded despite the economic damage that a breach may entail. In order to work well, the planning and implementation of cyber security measures must be underpinned by appropriate resource allocation, in terms of both human resources and financial investment. In the current economic climate, this remains one of the key challenges. However, carefully well-allocated resource can result in significant improvements to security which can materially reduce the business impact and remedial costs should an incident occur.
- Know-how: The training and development of all staff that may encounter cyber threats must be viewed as an integral part of your organisation’s risk management strategies. Is everyone aware of the risk assessment mechanisms and security procedures? Your organisation will therefore need to decide whether to adopt best practice depending upon the viability and sensitivity of your systems and the information contained within. Mechanisms that allow for the reporting, and onward dissemination, of know-how gained from experience (in particular “lessons learned” from cyber security incidents) are also essential.
- Board-level Buy-in: Cyber security can no longer be delegated to the IT team to deal with on its own. According to the Chatham House report, “the potential for damage, both economic and reputational, from complacency over matters of cyber dependency and vulnerability is too high to be ignored” and deserves the regular attention of senior management. Ensure it regularly appears on your agenda.
- Communication: The Chatham House report suggests that the issues connected with communicating technical ideas to non-technical people are intimately linked to the issue of board-level buy-in, since in its research it often found that “an organisation’s cyber security policy is not delegated (in a constructive managerial way) but is deliberately pushed below the boardroom level in order to remove a complex and baffling problem from sight”. Chatham House wants to see more chief information security officers from non-technical backgrounds appointed, and advises that “IT security departments [need] to develop a deeper understanding of how value is created in the organisations they endeavour to protect” to meet the business’s needs. However, communication flows both ways, and it is equally important for the board to grasp the nettle of cyber security with both hands to develop a coherent, strategic response.
In addition to these recommendations, organisations should also consider the following: -
Review your insurance policies to ensure you are adequately protected against risks that cannot be mitigated. If you discover any uninsured risks that need to be covered, discuss with your insurer what they can do for you. Given the diversity of risks faced by different businesses, corporations are increasingly finding a ‘one-size-fits all’ approach to IT-related policies, such as network security insurance and business continuity insurance, is impractical at best and, at worst, leaves them perilously exposed. Many insurers now offer a flexible, or even bespoke, range of policies to meet this emerging need.
As part of your contingency and disaster recovery planning, consider whether and in what circumstances you would need to engage an agency experienced in ICT reputation management in order to minimise any long-term damage to your business and/or its brand. If this could be necessary, investigate the available options now, and ensure a protocol is in place so that assistance is sought where appropriate. Some insurers also offer policies to cover the costs of retaining public relations assistance in the event of a crisis.