This article was originally published in the Institute of Risk Management magazine. It gives an interesting perspective on Cyber Risk: Nightmare or opportunity?
We have all heard the horror stories around cyber events. Sony PlayStation, NASA, TK Maxx and Google – to name just a few – have all been stung.
And yet UK government research on FTSE 350 ﬁrms shows that four-ﬁfths are failing to consider cyber threats regularly, with a signiﬁcant number not receiving any intelligence around cyber criminality.
Further research from IRM’s risk in cyber and information management special interest group has found that many ﬁrms and individuals are reluctant to tackle – or even discuss – cyber risk.
A crossroads has been reached. Cyber risk can either continue to be seen as a negative – as another potential set of costs, complicated procedures and incoming legislative demands – or ﬁrms can use good cyber risk management as a differentiator from their competitors, as a selling point to clients, and as a measure of reassurance to stakeholders.
To understand where organisations and individuals sit on this journey, IRM and BAE Systems Applied Intelligence (formerly known as BAE Systems Detica) ran a trilogy of high-level cyber risk roundtables at landmark London venues.
With input from heads of risk, chief information ofﬁcers, IRM representatives and experts from BAE Systems, the discussions covered organisational exposures, boardroom engagement, the impact of cyber-attacks and how to develop effective risk and resilience strategies.
Held under the Chatham House rule (participants are free to use – but not attribute the source of – information), discussions quickly became candid about the cyber challenge and the dawning reality of the road ahead.
As the delegates started to discuss experiences, it became evident that cyber events have either impacted most delegates or represent one of their major risks.
The head of risk, information and business continuity management for a global ﬁnancial and insurance services provider admitted that a recent cyber breach had forced them to start looking into how they shared information.
‘We know how vulnerable we are,’ the head of risk for a global hotel company added. ‘We know how often we get attacked. And because of that, we are working tirelessly with IT security to try and protect our systems.’
The head of operational risk management at a leading UK retailer revealed that their organisation is ‘increasingly facing exposure to cyber risk’, adding: ‘It’s becoming crucial to understand the threat and to start viewing the world from a cyber perspective.’
‘We are a target,’ they added, ‘and we know that. But what we don’t always know is who is targeting us and for what reason. It makes you wonder if we are seen as a standout target to be taken down a peg or two.’
Ignorance is remiss
Whether as a result of inexperience or incomprehension, one delegate said: ‘At the moment the risk management profession needs to be mature about cyber risk – it is still in its nappies.’
Quoting Ian Livingston, outgoing CEO of BT and new minister for trade and investment in UK government, another delegate commented: ‘There are two types of CEO – those that know they are being hacked and those that don’t.’
The head of risk management for a major infrastructure project added: ‘We haven’t realised the value of the data we hold. Five years ago, our information and intellectual property was very tightly controlled, but gradually we have loosened that to the point where you can bring your own device and use cloud storage software such as Dropbox. You could see it as a loss of control. Our threat is not realising the value of our data.’
Another delegate, a global CRO for a multi-national law ﬁrm, warned that IT departments are often failing to heed their own advice. ‘It is a case of physician, heal thyself,’ she said. ‘There is a sense that IT departments are immune to what they ask of others. The controls that apply to others have to apply to them.’
According to the group risk architecture director for a charity, one of the problems is that ‘most people who work within IT are incapable of translating technical language into business language’, and insisted that ‘risk committees should be jargon-free zones.’
‘Organisations have sleep-walked into this,’ the delegate added. ‘There is still, even now, a distinct segregation between enterprise risk management and what IT does. And a lot of executives, up until recently, didn’t want to know much about what was going on with IT.
‘The problem now is that so many assets are stored digitally. IT is now quite often the most powerful department in many organisations, but it is also the most vulnerable. They can bring down everything.’
‘A lot of organisations don’t realise just what the risk is,’ added a specialist from BAE Systems. ‘They might think that this is about being shut down, or hacked, but what about the attack you haven’t realised yet? Or how about when someone has stolen your IP? If you’re not aware of it, then this is an even bigger problem.’
It can be ignorance at play or wilful blindness. The head of information security and technology risk for a major UK bank told delegates: ‘We have proven our inability to manage our IT. Our problem is that banks are run by traders who don’t give a toss about information security. They only care about IT when something isn’t working, and then they chuck it out of the window with vigour. Another problem is that this is an issue with incredible diversity and multiple attacks points, but often boards can only understand one thing at a time.’
This, said the law ﬁrm CRO, means that risk professionals need to step up to the plate: ‘This is an area where we need to improve our understanding, raise our knowledge and have intellectually relevant conversations with the board. You need to be able to ask the right question, even if you don’t yet know the answer. We need to raise our game.’
BAE Systems Applied Intelligence delivers information intelligence to government and commercial customers. It helps them collect, exploit and manage data so they can deliver critical business services more effectively and economically. They are regarded as one of the leading providers of integrated cyber security solutions designed to protect their clients’ most valuable information and market reputation, enabling them to be more agile and successful in their chosen markets.
‘So what kinds of questions should boards be posing?’ asked IRM’s head of thought leadership Carolyn Williams.
‘Well’, remarked one practitioner, ‘boards should be asking simple questions – if only to make sure the IT director and risk professionals know this is an issue that needs to be addressed. And they must also ensure that everybody remains interested in the challenge.’
One delegate revealed that a senior executive had once even asked: ‘How can I take this [cyber] off the risk agenda?’
The problem, claimed the head of risk for a major government body, is that cyber crime has an image problem: ‘Cyber is far more than a breach of a ﬁrewall. It could be the use of personal iPads, social media misuse – any number of things. You mention cyber and people ﬁxate on historical issues. But cyber covers a whole plethora of issues.’
To demystify the challenge, every organisation ‘should have a debate with the board about when a cyber event will happen and the steps they would then take,’ suggested the head of risk for a global property damage ﬁrm.
With delegates agreeing that cyber should be an area of interest for the board, two-thirds of risk professionals at the ﬁrst roundtable admitted they had experienced a recent incident.
But who have hackers traditionally been targeting? According to a senior representative from BAE Systems, ﬁnancial services organisations ‘have been the obvious place to go’ in the past, but attacks are now broader and no sector or industry can consider themselves immune. ‘Organised crime groups are going after everyone – and they can make your bank account disappear,’ the expert warned.
‘Criminals can launch an attack from anywhere in the world. It’s an advanced, persistent threat, and the UK is the second most targeted place in the world, after the US,’ they added.
Another delegate conﬁded: ‘It’s very embarrassing to admit it, being who we are, but we have suffered serious cyber-attacks and have also had our telephone systems commandeered.’
David Garﬁeld, BAE Systems managing director for cyber security, discussed the work of its threat intelligence group, which covertly monitors various global attack groups. They recently saw an attack carried out on a major international ﬁnancial institution that, Mr Garﬁeld said, cost between $40m-$100m in damages – ‘depending on who you talk to.’
Another example is the work of the Syrian Electronic Army, which has targeted a range of high-proﬁle media groups, including the BBC and Associated Press (AP). One attack – the spreading of misinformation from the AP Twitter account – led to a Dow Jones tailspin from which it struggled to recover fully.
A BAE Systems spokesman said: ‘We chose the Institute of Risk Management because cyber security is increasingly being viewed as a subject of business risk management. With IRM’s broader approach to risk and its direct link to business results, we knew this collaboration would help readjust the way that cyber risk is viewed. We particularly like the work that IRM’s cyber and information management SIG is doing around the opportunities. As well as being a technical subject, it can also be seen as a doom and gloom subject, so hopefully this partnership can redress the balance and bring a different perspective.’
Banks have also been targeted with sophisticated attacks. ‘What was really clever about these attempts,’ David Garﬁeld observed, ‘is that as well as cleaning out your bank account, these criminals will set up a fake phone number for your bank’ so that customers who report anything suspicious are delayed from taking action or tricked into revealing personal information.
Other examples included extortion attempts against Irish gambling sites, criminals gaining access to sensitive documents through hidden executable ﬁ les in emails, and distributed denial-of-service (DDoS) attacks.
And DDoS attacks – while traditionally thought of as a fairly rudimentary weapon – can now be very sophisticated. Some hackers use DDoS attacks as a diversionary measure, while launching another type of attack at the same organisation, delegates heard.
The head of risk, information and business continuity for a global ﬁ nancial and insurance services provider revealed that his ﬁrm receives more than 30,000 malware attacks per day, with DDoS hits often used as ‘a smokescreen’. One attack, the delegate admitted, was designed ‘as a way in’ and would have exposed the organisation to a variety of other potential attacks had it not been detected.
‘That’s the scary bit,’ they said, referring to undetected attacks. ‘How many pieces of malware are lying dormant in our systems?’
An expert on security and risk in banking added: ‘We now have multi-week events, rather than few days or hours. The typical cyber-attack for us is a six-week affair. We have to swap staff in and out to make sure they stay alert and vigilant. The rules have changed.’
But to truly understand and combat cyber risk it is essential to understand people’s actions and behaviours, said one delegate, posing the question: ‘Is embedding awareness about control, education, or trust?’
In the words of a global head of group operations for a bank: ‘Control wouldn’t work. Our staff are highly-educated people and they wouldn’t tolerate control. Imagine if you were to take a roomful of bank traders for training; think of the cost in terms of time and money. I have known dull-as-dishwater compliance training sessions that are so boring that people ask their assistants to attend.’
One delegate lamented the way in which employees constantly ﬁnd a way to subvert any preventative measures that are installed. ‘You say employees can’t use USB sticks so they start emailing conﬁdential documents to their personal email. Whatever processes you put in the way, employees will ﬁnd a way round it.’
Another delegate revealed that staff had used a piece of widely-used web software without realising that it stored sensitive information publicly online. ‘We found stuff from our competitors and ourselves on this site,’ they admitted.
But Stuart Birrell, CIO at McLaren and a guest speaker at the ﬁnal roundtable, says that part of the problem is the way that employees are dealt with. ‘We have treated parts of the business like ﬁve-year-olds,’ he said, ‘but they are more like teenagers now.’ They are smart and tech savvy but they are also naïve. They will make mistakes. But how do we react to those mistakes? We shouldn’t ground them; we should be helping them out.’
‘Our board,’ sighed one head of risk, ‘is absolutely not engaged with the cyber risk issue. We need a lot of help as the more I hear about the threat the more I fear, and the more I feel I need to raise this at board level.’
Similarly, the head of operational risk management at a leading UK retailer said that ‘culture and attitude’ were vital components to get right. They said: ‘We need to stop IT people saying “no” to new ideas and instead get them to say: “Great idea, now here is how to do it so that it is safe from a cyber security perspective.”’
Becoming cyber prepared
BAE Systems Applied Intelligence has developed a ﬁve-point checklist to help organisations start their cyber preparations:
- Be clear who is responsible: deﬁne who has board responsibility, who will explain cyber to the board and what information will be used to make decisions
- Understand your cyber risk: understand what information really matters, what types of risk you care about and how exposed you are
- Make an active decision on risk: set your risk appetite, communicate it to all functions and ensure your resources are effectively deployed
- Plan for resilience: how will you know when you are being attacked? What will you do when you are? Have you taken reasonable preparations, for example as outlined in the BIS/CPNI guide 10 Steps to Cyber Security?
- Achieve your strategic priorities: ensure your risk mitigation enables growth; that risk controls do not block progress; and that you remain agile enough to exploit opportunities.
A BAE Systems expert suggested setting up working groups to ask questions about the impact that an attack would have. ‘That way’, the expert added, ‘you will be seen as a helper rather than the person saying “no” or scaring people.’
However, the cyber risk advisory head said it is important to test organisations on something that is not familiar to them. ‘If the scenario is on “home turf” then they won’t pay attention,’ he told the high-level delegation.
According to one delegate, a determined burglar ‘will always gain access to your house’. Another picked up the analogy and ran with it. ‘You have to accept that the burglar is there,’ they said. ‘That is the mind-set we have to have now. There will be an event but how prepared are you?’
‘We need to plan for resilience’ said a BAE Systems representative, adding: ‘You can’t plan for an ideal world. We need to plan for a real world where mistakes happen. A world where information goes missing, customers complain and the press come knocking.’
But away from the front pages of the morning news, the ‘nightmare scenario’ for one law ﬁ rm CRO is ﬁnding out about a cyber incident via social media. ‘It wouldn’t look great, would it?’ they said, ‘and yet that is the danger.’
Fighting the war
With organisations realising the scale of the challenge, delegates were asked if it is down to regulators and the government to intervene and provide support.
A UK government representative on cyber security told delegates that a new cyber security standard will be ready by March 2014. ‘This will be a low-level standard around basic cyber hygiene,’ they said, adding: ‘Government often talks about nation states and high level stuff, but this will be about getting the base level of cyber hygiene right.’
This standard will be internationally-recognised; promote international trade; allow systems to exchange and use information; and will be auditable.
However, on the subject of regulators a head of risk said: ‘If you look at guidance that has been put out, then it is clear that certain regulators are completely behind the times. The problem is that regulators aren’t in harm’s way, whereas we are all in the trenches ﬁghting the war.’
And the results of an attack can be debilitating. One delegate revealed: ‘A virus outbreak shut us for two days. Everyone had to go home while the system was wiped. It was a bit of a problem to say the least. We have also been targeted for our IP by a nation state. Luckily, we were working with Detica [BAE Systems] and were able to identify, listen to and then react to the threat.’
Delegates were asked to summarise their main ‘take away’ from the discussions. IRM’s head of thought leadership, Carolyn Williams, commented: ‘These conversations have truly covered cyber risk from the engine room to the boardroom. Clearly this is something that affects us all as risk professionals, and is a fantastic follow on from IRM’s thought leadership activity on risk culture, risk appetite, and our forthcoming work on risk across the extended enterprise.
Other delegates added:
-‘It’s important to remember that cyber security affects every class of business. You may think that you are not affected by this, but you will be.’
- ‘Education is key for me. You need to ﬁnd an angle that people can buy into. This is an issue that can affect people’s lives, and that alone should be a good enough hook for most people.’
- ‘You need to have a four-to-ﬁve minute presentation on cyber risk that you can take to the board. We really need to master how we communicate the threat. And you need to make your message sector-speciﬁc. My company doesn’t care what happens to banks, or to anyone in other sectors. They only care what happens to similar companies.’
- ‘I agree with that. A US company with a similar structure to us had an incident and that was a real wake-up call. We need to educate the masses across our organisations. Forget the IT geeks – this is an issue for everyone.’
- ‘To illustrate the seriousness of the cyber threat, people who haven’t suffered a loss need to be told what the loss will be to their business.’
- ‘It’s about prevention, not reaction. We have to ﬁ nd a story that resonates with both the young and the old, and from the top to the bottom.’
- ‘We need to repackage the current message and turn it into a fourminute pitch. And it needs to make sense even to a child.’
- ‘The internal cultural challenges and the need for organisational transition stood out for me.’
- ‘It’s not just about IT and cyber, it’s wider than that. It’s cultural. And I agree that you need to keep it simple.’
- ‘The interesting thing is the impact that cyber could have on critical national infrastructure. We could be looking at Hornby [train sets] on a grand scale if criminals were to inﬁltrate our transport networks.’
McLaren’s Birrell said: ‘A good analogy is with physical security. If someone was to attack us hundreds of years ago, then we would rely on walls and castles. But the discovery of dynamite rendered walls pointless. We have reached the same stage with computer ﬁrewalls. They are still necessary but insufﬁ cient in our evolved world.’
And it is your reputation that lies on the line while the battle is being fought – as another delegate added: ‘Our reputation is key. It’s of paramount importance to us. If we lose our reputation then we’re history.’
But they admitted that the only way to defend your reputation is to decide which parts of your business are the most crucial to protect, rather than attempting to protect everything at the same time.
A head of risk added: ‘A critical element of cyber security used to be given the same priority as an element with nowhere near the same importance. We now focus on the crown jewels, rather than every part of the organisation.’
To which another delegate recalled the following military saying: ‘He who defends everything defends nothing.’
Seizing the day
But regardless of whether an organisation has experienced an attack or not, James Hatch, director of cyber services at BAE Systems, claimed that cyber risk is bringing fear, uncertainty and doubt to boardrooms across the globe.
He called for risk professionals and organisations to resist doom and gloom around what can often be viewed as an inevitable attack, instead urging them to focus on what can be done proactively to manage the problem.
‘This is all about the active management of business risks. Many organisations are stuck in a reactive mode, but fear prevents action. We need to examine the opportunities that come out of this,’ he encouraged.
Better risk management, monetary savings and the demonstration of trustworthiness to stakeholders were listed as opportunities that present themselves when ﬁrms start to tackle the threat. Furthermore, organisations that address the issue will ﬁnd themselves more agile and conﬁdent, while others will realise opportunities to move into new markets, BAE Systems claimed.
‘This is not a case of a possible incident,’ the expert added. ‘Attacks are happening all of the time. Even as we speak, dedicated organised criminal networks will be choosing their next target or launching their attack.
‘But rather than discussing protection, we need to talk about risk management, resilience, and how organisations can survive and seize opportunities in the modern world.’
It is time, Stuart Birrell declared, for organisations to take the same approach as a world-class sporting referee: ‘If you watch rugby, there are infringements throughout the game, but the referee doesn’t stop the game for every single situation. Why? Because of the upside of playing on, because of the advantage that can be gained. The beneﬁt to the fouled team outweighs any penalty.
‘When those ﬁve lights go out [on an F1 starting grid] on a Sunday afternoon, if you aren’t there, then the race is going to go ahead. And someone else will win. You have to be there.’
A law ﬁrm CRO concurred, adding: ‘The cyber risk challenge presents us with an opportunity to start culture change from the top, from board level, and make sure that IT security is realised in business terms.’
A security and risk expert for a major UK bank said that companies have already missed one opportunity to improve their security processes. He told delegates: ‘We have the technology for people to log into devices using their ﬁngerprints. But companies did not rise to the opportunity. We could have got into this technology, dropped a lot of passwords, and made our lives easier and more secure. We missed the boat.’
In the words of the head of risk management for an insurance ﬁrm: ‘A serious incident at least has the beneﬁt of making people sit up and pay attention’. They said: ‘We now hear about things that would not have been discussed before. That’s a great thing. But now we have to take the chance to ensure that our message gets to the top table. If you subject yourself to scrutiny, and can demonstrate the cyber security steps you have taken to your customers, then you have a very effective sell.’
Another delegate said: ‘I think we need to put a client in front of the board. If anything is going to persuade them to take this seriously, it’s the threat of customers taking their business to someone who does. With the new government guidance, people are standing up and saying: “If you don’t use this, then we won’t use you.” That is very powerful. We’re going to follow this guidance and hope that our competitors don’t.