Blame them or empower them, your staff hold the key to protecting your business from cyber attacks. But what else did delegates learn from this year’s CBI Cyber Security Conference?
Technical jargon is one thing that can put off business leaders from doing the right thing when it comes to cyber security. But the CBI’s latest Cyber Security Conference offered practical advice for those wanting to protect their organisation.
The reasons to act were made clear:
- According to the most recent Cyber Security Breaches Survey, just under half of UK businesses identified a breach, or attack, in the last 12 months.
- Ciaran Martin, chief executive of the National Cyber Security Centre, warned that there will be more major cyber security attacks – and when the UK is one of the most digitally advanced and digitally dependent economies in the world that poses a “fundamental risk to national prosperity”.
- Panellists discussed businesses’ increasing reliance on data and technology – and automation, artificial intelligence and the Internet of Things will increase the risks and the impact of any attack.
- Former hacker Darren Martyn demonstrated just how “ridiculously fast” someone can take down a business (in less than a minute).
- And Information Commissioner Elizabeth Denham emphasised the regulatory obligation to act, with just seven months until the General Data Protection Regulation (GDPR) comes into force.
So what should businesses be doing?
With GDPR coming into force in March 2018, businesses have a legal responsibility not to stick their heads in the sand on cyber security.
ICO’s Denham was adamant that data privacy and cyber security were inextricably linked – and, although she downplayed the financial penalties allowed under the new law, she said GDPR should act as an incentive to business to improve their data protection.
In her speech, she asked: "What happens if you consider investments in cyber security and data protection as an investment in your customers?”
61 per cent of businesses now hold customer data online, yet 80 per cent of consumers don’t trust businesses with their personal details, she said. Increasing that trust will help businesses in the digital economy to grow.
Denham summarised the legislation using three words that should be easy enough for businesses to understand: transparency, control and accountability. And in a guest column for Business Voice, she provided more information about the first steps they should take to prepare for it.
Be proactive was the main advice from Andrew Rogoyski, vice president of cyber security at CGI UK, who hosted a breakout session on how businesses are preparing for GDPR. Many of the firms in the room had already hired or trained data protection officers to help with compliance, but Rogoyski talked delegates through the initial steps companies should take and how they should prepare for the worst.
Don’t just think about data
A panel discussion about new technology reminded delegates not to just think about data. Artificial intelligence, automated machines and innovations most people are now comfortable with – such as smart meters and security cameras – can also be hacked.
Jason Gottschalk, cyber lead partner at BDO, warned that Internet of Things devices are the next frontier for cyber security, arguing that he was more worried about a terrorist getting control of a nuclear power station than his personal details getting stolen.
Those doing the innovating need to think about security at the design stage, the panel agreed. And Emma Carr, head of technology at Hanover Communications, said that although consumers shared the responsibility for managing the risks, businesses selling such technology had a duty to make consumers aware of them.
Know your enemy
Ryan Kazanciyan, chief security architect at Tanium, led a breakout session on the different habits of highly effective hackers. He highlighted how hackers get to know their targets (giving businesses a chance to stop them), find a weakness to exploit (which could be patched), and are persistent (so businesses need to be resilient).
But many businesses need to start with the basics: understanding the cyber security risks.
In his speech, NCSC’s Ciaran Martin called for a more human approach to prevent breaches.
“Cyber security is still shrouded in mystique and conversations around it are designed not to dispel fear and panic,” he said. “This might be why over a fifth (22%) of organisations’ senior managers are never given an update on cyber security issues.”
He rattled off the kind of questions that should be asked, covering what’s at risk to who is responsible for the systems and the data. And he added: “For a company dealing with cyber security there are no stupid questions.”
He explained that it was as important for management to truly understand the issues, and translate that into easily workable policies for employees to follow, as it was to buy the security technology available.
Prepare and communicate
Dr Walter Bohmayr, senior partner and managing director at BCG, led a breakout session looking at how businesses should prepare for a cyber attack. And one fact stood out: only one in 10 businesses in the UK have an incident response plan in place.
Communication of the risks among staff is important in the first instance, but so too is communicating with customers, stakeholders and the press if (and, with increasing likelihood, when) a breach occurs.
“Be honest,” urged BT’s head of technical strategy Paul Critchard. “Otherwise the tech community will tear you apart.”
Trust your people – or don’t
The biggest dichotomy of the day was down to whether speakers believed your staff are the weakest link or your strongest defence when it comes to cyber security.
Former hacker Darren Martyn did not mince his words when he said don’t trust your users. And Jeremy O’Connor, head of key accounts at Leonardo Security, couldn’t have made it clearer when he said: “users evolve new ways of being stupid every day”.
But leading a breakout session on the subject Nick Wilding, general manager at Axelos Resilia, argued that focusing on the human factor was the key to protecting your business.
And speaking as part of a panel discussion looking at how much firms should spend on cyber security, Karen Weatherburn, HR director at Northern Powergrid, argued that rehearsing breach scenarios “made it real” for employees – and had the greatest impact for managing risk, while keeping costs down.
Whichever way you view the human factor in cyber security, no one denied the role of staff in keeping any business secure.
If you're interested in understanding more about cyber security – the risks and the steps you can take to minimise them – join the CBI at the Midlands Cyber Security Conference, to be held in Derby on 5 October.