14 September 2016

  |  CBI Updates Team

News

How would your firm deal with a cyber-attack? And have you prepared your company?

We simulated a cyber-attack at #CBICyber. Here’s what happened:

How would your firm deal with a cyber-attack? And have you prepared your company?

Business leaders were given a chance to demonstrate their cyber security credentials during a simulated breach – by voting via the web or their mobile phones at the CBI’s Cyber Security conference.

Andrew Rogoyski, CGI UK’s vice president of cyber security, showed the audience in London how an encrypted email pretending to be from a real journalist on a national newspaper could bring down a fictitious UK high street retailer starting an online banking service.

In his example, Mr Rogoyski asked what the business people would do if they received a seemingly legitimate message from a reporter asking to run an in-depth feature on the new concept.

Most participants voted that while this would be a bit of a surprise, they couldn’t ignore it – but Mr Roygoyski pointed out that while the email contained a real switchboard number, the email address was suspect and the attachment contained malware.

In his scenario, Mr Roygoyski showed how within a couple of weeks, cyber attackers could get hold of the names, addresses and date of employment of more than 2,000 employees.

And through a series of votes, he encouraged the audience to consider how they would deal with the attack – and whether the company should engage legal counsel and forensics experts, isolate the cyber infection, prepare a statement, or even pay a ransom to unlock the files.

Mr Roygoyski said hacking had become such a racket that “the bad guys have set up call centres to help you pay the money – there’s a business going on there.”

The audience estimated such an incident would cost over £20 million, which Mr Roygoyski said could include the cost of incident management, legal costs, reputational damage, direct losses and much more.

Summing up, Mr Roygoyski, whose firm CGI UK has more than 35 years’ experience managing secure services, said firms needed to ensure they had someone at the top of their organisation overseeing cyber security.

“Treat cyber as a real business risk,” he said, adding that it is important as a supplier going out of business or a customer cancelling a contract.

Firms needed to understand what new regulations are on their way - and to get some specialist advice so they know how to respond to an attack and handle the media, he said.

He argued that cyber security needed constant improvement, and encouraged firms to look at the security of their suppliers and the impact an attack would have on them.

“I think the answer is to prepare so you make your organisation more robust,” he said. “Just make sure you’re better than your competitors so the bad guys leave you alone.”