The questions to ask on the road to cyber security

19 September 2018

Business leaders need to understand the basics of cyber security. The CBI’s Cyber Security Conference looked at how you can get the information you need

“If you don’t understand the cyber risks in your business, how can you manage it,” asked Ciaran Martin, Chief Executive of the National Cyber Security Centre – a keynote at this year’s CBI Cyber Security Business Insight Conference. The time has come to “banish fear”, he said. Cyber security is a business risk like any other and boardrooms and business leaders need to get to the grips with the basics.

So where do you start?

To get the ball rolling – and trailing further guidance from the NCSC due out in the coming months – Martin highlighted five key questions for business leaders to ask their technical teams:

  • How do we defend our organisation against phishing attacks?
  • How does our organisation control the use of privileged IT accounts?
  • How do we ensure that our software and devices are up to date?
  • How do we make sure our partners and suppliers protect the information shared with them?
  • What authentication methods are used to control access to systems and data?

And stressing the importance of understanding the answers that you’re given, he added: “Nodding to avoid feeling foolish can sometimes be the most foolish thing to do.”

Taking up the baton of offering practical guidance designed to reduce fear and improve resilience, other speakers suggested their own questions that business leaders should be asking of themselves, just as much as others:

Is your business using customers’ data in the way that they think you are?

“Cyber security has a direct impact on consumer trust,” said CBI’s Chief UK Policy Director Matthew Fell, referring to research conducted by the organisation and highlighting the business case for acting on this issue. “Consumers see data security as a key characteristic when thinking about where to spend their pay cheque.”

Are you taking your GDPR responsibilities seriously?

The new General Data Protection Regulation has provided many business leaders with their first real taste of the cyber security agenda – and some will have been driven to act by the fines threatened for non-compliance.

“If you adopt privacy by design, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for your and your customers’ data, then we will not usually have an issue with you should the worst happen,” said James Dipple-Johnstone, Deputy Commissioner at regulator the Information Commissioner’s Office (ICO).

He added that where fines had been imposed, it was because the organisation’s own controls and culture contributed to the incident. And he cited common excuses, including ‘We didn’t know we had data there’, ‘We didn’t get around to checking that’ or ‘I had some training when I started, but it’s all changed, hasn’t it?’.

If you’re thinking of taking a sabbatical after preparing for GDPR, Barclays’ Director for Data Privacy Natalie Stockmann, warned the audience to think again. Speaking as part of a panel discussion also featuring representatives of Clifford Change, Adeptis Group, Nuix and Amethyst Risk, she highlighted that the global regulatory landscape continues to evolve around privacy and the implementation of GDPR.

But emphasising that this is about more than compliance, Steve Howe, Managing Director at Amethyst Risk Management, talked about GDPR as an opportunity not a threat. And the panel agreed – keeping on top of the changes and finding the right talent to manage them will help companies to thrive.

Do you know what you’re trying to protect?

As Robin Oldham, Head of Security Advisory & Technical Services, BAE Systems Applied Intelligence, said, businesses cannot be confident in the effectiveness of their cyber practices if they don’t know the answer to this question.

And it applies both to data (as Nuix’s Stuart Clarke discusses here) and physical and digital infrastructure. A breakout session with BT focused on how it is getting to grips with the access points that hackers could use across its own network – when the business spans 170 countries, various acquisitions, partners and ever-growing connectivity.

An important implication of all of this is that it’s becoming increasingly important to collaborate against cyber threats. You need to work with those in your supply chain to reduce the shared risks you face.

As part of a panel session, Andrew Try, Managing Director of switchboard service provider ComXo, said: The single biggest asset companies need to protect is brand value”. You can read more on what he has to say about business continuity and the importance of communication here.

After all, fellow panel member James Dalton, Director of General Insurance Policy at the Association of British Insurers suggested firms are at greater risk of claims by disgruntled customers than they are from ICO fines.

Are you using a language everyone can understand?

The culture and behaviour within your organisation has a massive bearing on your cyber security. It’s why education remains key, said Nick Wilding, General Manager, Cyber Resilience, AXELOS Global Best Practice.

His company is currently conducting research in partnership with UCL to investigate why cyber security is such a tough sell, but in the meantime he used a breakout session to highlight that storytelling can be an effective way to bring the issues to life and help people to understand what’s at stake.

He also draws parallels between cyber resilience and football in this article for Business Voice.

Speaking in a breakout session hosted by BAE Systems, TalkTalk’s Technology Director Phil Clayson suggested firms use the language of risk that board members already understand. Since its data breach three years ago, the telecoms company has put together a ‘trading risk’ model which tracks different indicators and uses a dashboard to visualise them to help the business make decisions around technology. As well as securing senior buy-in, this has helped educate non-technical audiences within the business too.

Will your cyber security plans stand up to a crisis?

Do you know what to do if the worst happens? Do you know what is the worst-case scenario? Do you fire drill your plans? Do you learn from latest incidents? Do you feedback to staff and offer further training if you’ve acted on a breach – however small?

As threats shift and your needs change, your security strategy needs to change too. This piece by BT’s Steve Benton explains how BT adapts and evolves to reduce the risk of a cyber attack.

But the overwhelming advice all the experts at the conference had in common was for business leaders to be proactive and take responsibility. Dismissing cyber security as something that’s too complex to understand is not an excuse that will wash with consumers, when – not if – an attack takes place.

Join the discussion