One of the biggest risks to a firm’s reputation, finances and operation is a failure to keep it cyber secure – which is why more than 150 business leaders were urged to up their game and not become a victim, during a CBI event in London
With one in four of all companies experiencing a cyber breach in the past 12 months, cyber attacks have become big business for the crooks that carry them out.
And while the government says it will do all it can to turn the UK into the world’s most secure online economy, digital policy minister Matt Hancock warned delegates at the CBI’s Cyber Security Conference: “We can only achieve that in partnership with you.”
He made the appeal as he revealed there is currently a shortage of cyber security experts – 1.5 million are needed globally, while thousands are needed in the UK alone.
He said cyber security is not just an issue for a company’s IT department – it should be treated as a major business risk for owners, for chief executives and for board members. And making sure a firm’s greatest asset – its people – are cyber aware was a running theme throughout the day.
Here’s some of the expert advice shared with business leaders during the conference:
Brendan Saunders, NCC Group’s principle security consultant, said bosses and staff can get more than they bargained for if they hook up to free wifi on the move. Any public network that doesn’t require a password is unencrypted, which means anyone else tapped into it can see what’s being sent. One solution, Saunders suggested, is to use 3G if sensitive information is being sent out, because it’s more secure than public wifi. And for that extra level of security, employees should use their firm’s VPN – Virtual Private Network – which automatically encrypts messages through its corporate systems. Saunders also advised people to avoid exchanging information across websites that are not https secure.
Andrew Rogoyski, vice president of cyber security at CGI UK, insisted that a firm’s response to a cyber attack, and knowing what it would do, is as important as attempting to prevent it from happening. Hacking has become such a racket, he said, that “the bad guys have set up call centres” to help businesses pay a ransom to unlock their files. He urged the audience to think about who they would call if they suffered a cyber breach – such as a cyber forensic expert, or media crisis management – to help them recover the situation and continue the fortunes of their business.
Dineshi Ramesh, Board Intelligence’s advisory partner, argued that in addition to keeping data safe, staff need to look after IT equipment – particularly when they are out of the office or down the pub. She said staff need to know “there are consequences” if they do not support company policy on cyber security. She also urged company directors who are not cyber savvy to ensure there invite people onto the board who are.
City of London Police commissioner Ian Dyson said some cyber hackers exploit very simple systems to break into businesses online. This could be via a seemingly innocent email, allegedly from the CEO to the finance department, saying: “Please transfer money into this account.” Many firms do not have the systems to check if it’s the right person making the request, he said.
Martin Lee, Cisco Talos’ threat intelligence technical lead, urged firms not to try to sort out their own cyber security – but to use the services of a professional. Few bosses would devise legal contracts or draw up their own accounts, he said, adding: “I think exactly the same applies to cyber security.”
And finally, Steve Rumble, BDO’s technology risk partner, said most organisations who have been through a cyber crisis failed to properly understand the threats they faced. “They knew the crown jewels were at risk, but they didn’t know how to manage and protect them because there were too many versions,” he said. He urged firms to keep ahead of emerging threats: “Once you know where you’re vulnerable, you can make the key business decisions.”