Technology is no longer the sole responsibility of the IT department. It hasn’t been for some time.
Such is the democratisation of technology; everyone within a business now has a part to play in the management, protection and running of its IT, the board included – particularly when it comes to cyber awareness.
Over the last two years (if not longer), we have all seen and heard of the growing number of businesses impacted by a cyber attack as cyber criminals capitalised on their vulnerabilities. In parallel, the sophistication of many of these – both internationally and in Scotland – has increased.
From SolarWinds to SEPA, the far-reaching impact of such incidents means that boards can no longer afford to be uninformed when it comes to cyber security.
The head of the National Cyber Security Centre (NCSC) recently stressed that ransomware poses “the most immediate danger” to UK businesses. More worryingly, research from the Scottish Business Resilience Centre (SBRC) found that 38% of Scottish businesses do not feel prepared for a cyber attack.
Education and action are needed immediately.
There are many resources available to boards to level up their knowledge on the types of cyber attacks out there, but that alone isn’t enough. Board members must be able to translate this into how to support their organisations.
Classed as a governance-related issue, cyber resilience must be addressed from the top of an organisation, with policies and processes defined and agreed upon between both senior management and the board. This, therefore, means that having the right information to ask the right questions may limit the opportunity of such an incident occurring.
The issues the board needs to be most concerned with lie in four areas: awareness, measures, planning and action.
Awareness of an incident
Insight into when a cyber incident has taken place isn’t always immediate; there is often a lag between a cyber attacker infiltrating systems to realising it has happened.
Once an attack is known the board must have predetermined when and how they wish to find out about the incident: are all members told or is there a predesignated individual who wishes to run point from a board perspective?
At this stage, the NCSC outlines several questions the board may want to ask:
- Who examines the logs and are they sufficiently trained to identify anomalous activity?
- What mechanisms are there in place for staff to report any suspicious activity?
- Are the thresholds for alerts set to the right level (that is, are they low enough to give suitable warning of potential incidents, but also high enough so that the team dealing with them is not overloaded with irrelevant information)?
- How confident are you that you know all the IT assets that your organisation has, and what the state of those assets are? Many attacks can come in via equipment that organisations are unaware of.
Measuring an incident’s impact
The next phase is to address the ‘how’; how has the business been impacted and how did the attack happen in the first place?
While in the case of a ransomware attack, it may be made clear what data has been obtained (i.e., the attackers have outlined what they are holding for ransom), being clear on how it was possible for hackers to gain entry is vital – not only in working to quickly resolve the current issue but also in plugging any technical loopholes in the future.
Again, guidance from the NCSC details questions the board must consider:
- How does the organisation authenticate and grant access to users or systems? Are these measures hard to bypass, and is access only afforded if necessary?
- How would the organisation identify an attacker’s presence on the network, (e.g., is monitoring in place)?
- How is the network separated, so that if an attacker gets access to one device, they will not have access to the full range of the technical estate?
Having a robust plan
These first two phases provide detailed insight for an organisation to be able to activate a crisis response plan which will work to not only rectify the impact of the incident, but also minimise any reputational damage. While this is typically a document that should be in position before such an incident occurs, there is guidance available for those that do not.
Unfortunately, we no longer live in a world where it’s a question of if a cyber incident might impact a business, rather than when, making it even more critical for the board to be aware of their role when in the eye of the storm.
Being 100% clear of the policies and key individuals’ roles when experiencing such a situation is important – as well as supporting the senior team as needed. In the eye of the storm, the board must continue to operate as a trusted and stable network, providing support and counsel throughout the incident.
At a time that will feel like it is running at double speed, this group must provide the focus to allow the senior team to continue with day-to-day management while also getting the business back up and operational as quickly as possible.
Once the incident has passed, it is crucial that all key parties come together to review the plan to identify what worked and what needs to be amended for future incidents.
Acting (or reacting) to impact
Given the regularity of attacks on organisations of all shapes, sizes and sectors, cyber protection must be embedded across all areas of the business. However, this must be agreed and communicated from the top.
A review of the processes that individuals follow to access data, consideration of backup, the impact of hybrid working and the role in which every employee has in supporting the protection of internal data has never been so important.
Creating a culture change regarding cyber processes is a must – particularly if the above has highlighted segments of the organisation where this attention and knowledge may be limited. If so, knowing where further support can be gained is vital.
From the NCSC to SBRC, as well as many sector-based organisations, there are a lot of resources available to up-skill not just the board, but all who they work with.
Put simply, inaction is not an option.
Jude McCorry is chair of CyberScotland Partnership