ICSA Cyber Security Webinar


Julie: First of all, I’d like to introduce Charlie and ask him to speak, but I’d also like to thank Diligent for hosting this session today. Charlie, I will hand over to you for your presentation. Thank you.


Charlie: Thank you Julie. I’m Charlie Horrell and I’m managing director she says, of Diligent in Europe, middle east and Africa. Just one slide about Diligent then we’ll get into the meat of the subject. We are a business that was founded in 2001, we are headquartered in New York. We have three and half thousand companies using our solution right now to host and manage their board papers. Crucially we have five data centers in Germany, the US and Canada, which is where the data is stored and where the question of security and managing that becomes so important to us. Security to me is a bit like the dentist. It’s not something you necessarily want to think about, but if you get it wrong and you don’t go, you get into trouble.


Five years without going to the dentist and your teeth will know all about it. In many ways I think the same should be thought of with security. On a personal level, we consider it day by day, how do I lock my front door, how do I cross the road, what do I need to take care of to make sure the kids get to and from school? It’s just part of how we consider our lives. It’s a balance. To me that’s the most important aspect of security. You are trying to assess and manage a risk so that it’s acceptable to you as an individual, because obviously we still need to cross the road, we still need to lock the door, but you’ve got to do it in a sensible way.


In the corporate world, in the companies that I work for, that you work for, we all work for, it used to be the domain of a technical person. That person is normally called the chief information officer or the chief technology officer and it was their job to sit in a dark cave and think complex things around how to keep the security of our businesses intact. In my opinion, those days are gone and each of us. Every responsible member of a team should consider the security. Of their business, of what they are involved with. Again, in the same ways they do with their own personal security. Is the front door of the office accessible to anyone or do we need proper badges? As a smaller side, I was able to get into the ICSA building here this morning without a badge. I was able to get through the door.


I only got as far as the reception and then I got put into a headlock and was laid down on the floor. Seriously, I was able to get in. Those things happen but companies need to assess it. One question to ask is, do we think the board of directors of our companies actually understand the security risks of the organization? This slide and in fact several of our slides has been created from research, published by the Ponemon Institute in the US. We put out pieces of information and analytics on the subject of security. What you’ve got here on the left is the response of the board of directors and on the right of the IT team of the companies.


If you look at it on the left hand side, 32% of the bard strongly agree that they understand the risk of security, thirty eight agree and 30% themselves self-assessing think they do not understand the security. If you now turn to the experts, fully 57% of the experts believe that the board of directors of their company does not understand the risk posed by security.


Before we go any further, in my opinion, we should break down security and breaches into two different aspects. The first are deliberate malware, where someone is trying to infiltrate your organization to steal information for their own gain. The second part is accidental, it’s a mistake. It’s where we as humans have done something that has resulted in a breach. We should consider it in these two different ways. Does it matter, does security actually really matter? I’m afraid the answer to that is a resounding wholehearted, yes. Honestly, on a personal level, I find the slide really frightening. 90% of large companies had a data breach last year.


That is an increase from 81%. 81% is already awful, but fully 90% of large British companies had a data breach in the last twelve months. If you look at smaller companies, the number is 74%. It was 60% last year. in fact, they are rising proportionally, even faster. In one piece of research that I saw, the CEO of large companies were asked a question about attempts to breach their security. 47% said that they were recording hourly attempts to breach security. Think of that, each and every hour of each and every day, someone is trying to access your information.


We are all ware of some of the more high profile versions of these breaches. Sony with their infamous emails about talent actors being incapable, following them from the North Korean movie. I’ll tell you what’s interesting about that is if you google sonny email hack, you’ll find 4.5 million responses to that single question. Target is a large US retail business where they in a helpless way lost the credit card details of all their customers. It resulted in the CEO being sacked. Again, google will throw up three million responses to the question of target and hacking.


Here in the UK, Carphone warehouse got caught with exactly the same thing fairly recently where a hacker was able to steal the credit card details, probably of several people who are sitting on this call right now. As many of us are going to be customers are going to be customers of a business like that. Yes, in my opinion it really does matter.


A question is then asked of two hundred and forty five board members, why is cyber security not on the board agenda, why are they not considering it? The majority response was, it’s best handled by the management. There was a second response saying, concerns around director liability, as in, if I asked the question, I need to make sure I know the answer. If I don’t ask the question, perhaps I can pretend I’m mute. Lack of expertise, lack of resources, not considered a priority or figured.


In my opinion, the primary reason why cyber security is not on the board agenda is it simply not in that comfort zone. They don’t know how to do, they don’t know what the question should be, they don’t understand the responses when they come back. It’s one of those things, don’t ask don’t tell and hopefully will go away. In my opinion that is naïve. This is you me and all of us, we are the biggest single threat to any organization. We are the people who cause the majority of problems. I’m as culpable as anyone else.


Fully 90% of security incidents are created by human beings, not some technology that’s trying to infiltrate us. This is back to my point earlier about the two types, the malicious and the inadvertent. Specifically, here I’m talking about the non-malicious, the stuff where our fingers have gotten in the way and caused problems for our own organizations. I’d like to talk to you about four myths that all of us, again, myself included, would, in the past have considered to be true.


The first myth is that my work email is secure. It’s an easy and quick way to share information and it’s secure. This is a myth. First of all, you lose complete control of an email as soon as you send it. Once you’ve pressed send, it’s gone and you have no ability to either pull it back or to delete it or more importantly to stop someone sending it on to a third party. That fat finger reply all has clearly hit each and every one of us on this call and will continue to do so. Myth number one, email is not that secure.


Myth number two, I can put a password on a PDF and that will make it secure. I can send out a PDF via email with a password that I send through a separate method, surely that’s secure. I’m afraid the answer to that again is no. If you look at quick search on unlocking adobe PDF documents you’d come up with this as a number of results. There are more than two million web links to how to unlock an adobe PDF that has been password protected. Honestly, that’s a remarkable number. That’s a frightening number of people who are out there, able to help you and me steal PDF information.


Myth number three, if I send you an electronic copy, with or without password protection, it’s always going to be an electronic copy. That’s just not the case, people still love paper. If you send me a large PDF, two hundred page PDF, it’s hard to read on a screen, it scrolls up and down, it’s not attractive. People will go, control, print and out will come paper. To think that we all live in a digital world is naïve. The slides that I’m using right now I’ve printed them out. it’s easier for me to use them in a paper way but in terms of maintaining security it reduces it.


Myth number four is that I need to store my data, my company data personally in my organization for it to be secure. Think of it again in the personal way. I need to have everything relating to my photographs, to my videos and all the things that are important to me, in my own home for it to be secure. Transparently, that is a myth. Homes burn, homes get burgled and probably more easily, the actual technology on which you store your phots and your videos will get old, it will get out of date, it would just not work. You’ll suddenly find in ten years’ time that those precious photographs of the kids growing up are simply not accessible anymore and you’ve lost them forever.


This is the same in the corporate world. It is simply safer as I think most experts would tell you, to store data in controlled, encrypted, backed up facilities that are specifically designed for this function. This is how Diligent provides its solution. The documents start with the administrator of an organization. They are encrypted with what’s called 256-bit encryption. I’ve been told by our security experts that it would take billions of years, which is an unimaginable amount of time to hack successfully, 256-bit encryption. They are then encrypted at the data center until they are needed.


The data center has impenetrable physical security complete with a guy who wears a hat and glasses like it shows on this slide, with cameras at every location, two factor physical security. You need multiple things to be able to access into the facility and monitoring as well. When then a board member opens the encrypted document is brought in the way that it shows here onto the device where again it is held in a technically secure way, where the permissions are provided by the administrator. You have to have the correct device with the usual username and passwords.


Moving on, how does the government view this. What’s the British government’s view of cyber security? They’ve created guidelines for how companies should consider their security. Apparently two thirds of the FTSE 350 organizations, currently use these guidelines and follow them. My guess it that several people on this call are aware of them and practice the guidelines that the government has published. One thing that is often overlooked, which is the function of the board in this environment. The CIO or the CTO of an organization does not consider that it’s part of their remit, or their role to monitor the board. That’s out of the food chain of life, it’s not comfortable for them, they are not given access to the information because many of it, much of it would be about them and their peers and the organization.


It’s not appropriate, it’s a hands off environment, which leads to a vacuum. Vacuum, possibility of breach, it’s obvious. There is also another risk which I think board should strongly consider. If it’s slack at the top, what sort of a message does that send to the rest of the organization? I’ll tell you a story that happened to me. I used to work for a French company, I won’t say its name. It’s a large French media company. We worked in the west of Paris in a beautiful art décor building that had been a factory in the ‘30s. It had been a bigger old factory turning out lots and lots of things, televisions actually. Then it was turned into a corporate head office and it had five floors and it was a circular donut shape.


On each lift wall, each door, there was an access through a key heart. You had to swipe in and out to walk around the building and to go up and down the floors. The only place, and I really mean this, the only place where you didn’t need your key card to swipe in and out was the director floor. You could access the director floor but coming out of the lift, pushing the door and walking straight in. On the left you had the CEO, on the right you have the CFO and so it went down the chain of management. When I asked why, I got the response, “Because the management can’t be bothered to carry around a pass. You think, my goodness, do they really want to steal the secrets of someone like me handling a small part of the organization or they’d rather go to the CEO who has all the corporate juicy stories sitting on his desk?”


Security is something that for me has to start at the top. The security of an organization starts with the CEO and drifts down hard through the whole place. The next few slides are things for you as an audience to consider when trying to assess the security of your own organization. Do you have confidential data that could be left behind in a taxi, proverbial taxi? Is it encrypted in transit and at rest? These are questions that I don’t necessarily you and I would have the answers to but I think they are questions that you should be able to pose to people who should scratch their heads and come back with a solid answer. Who has access to your board reports, is it just the board members or other people, is that inadvertent error in the distribution? This is even more important when directors sit on multiple boards.


With a digital version you have the ability to assign rights before you send them out. you can say this paper is destined for these three people and that paper for the next four. The technology helps you avoid, again the fat finger error in distribution. What about control, who controls the keys? What happens if a password is stolen? You have to have the ability to get those passwords reset immediately so that even if the device is stolen, no one is able to access it because the key that controls the encryption has been destroyed. This is the last slide and this is how Diligent thinks it can help organizations. We provide a facility that does encrypt data, both in transit and on devices. We have controlled access to that data. We can pre-assign the rights.


We have regular repeated third party orders and penetration testing of our facilities. We employ, never met them but this is my view of them, sporty sixteen year olds who live in dark places and eat pizza and try and hack into our solutions. Thankfully they’ve not been able to. You need redundancy and back up, it’s again, just like your own photographs and videos at home. The technology will break at some point in time. You need to have that redundant facility so that if it does break, there is always the fail over on an immediate basis. Lastly, for regulatory reasons, you would probably prefer that any facility does not track a director’s electronic footprint.


It could be very embarrassing to the organization and to the director if it became abundantly clear that that very important paper about the acquisition of this large organization had not had the due care that it should have had and had been read in the lift going up to the meeting. Tracking a footprint would mean that that information is accessible, if you don’t track you can’t work it out. Those are all the things that I wish to say on the subject of security, happy to take questions later. Thank you very much indeed.


Julie: Thank you Charlie, that was really interesting and somewhat worrying I think. I’d like to now ask Conor to, he is going to take things from a different aspect all together. I’d like to hear your presentation to you, I’ll cross it over to you, thank you.


Conor: Thank you. My name is Conor McGoveran. I’m the chief information officer for information risk management at PLC. Our company was founded in 1998, and we provide services to governments through various accredited schemes and also to private companies predominantly FTSE 350 enterprises. What I want to talk about in this part of the presentation is about how to establish a risk management framework for cyber risk or what it’d look like, how is it different from more traditional risk management frameworks and how might that be presented to a board.


Before I get into that, what I’d like to do is just make the point that the internet has brought disruptive change to a significant number of sectors. When we look back to 1998, all the way through to 2015, we can see that there has been the birth of some very large companies who’ve leveraged the internet. Also those become deeply embedded in our both our professional and our personal lives. Alongside that, what we’ve seen is we’ve seen a growth in the impact that cyber security issues can have on our lives and in our corporate businesses.


If we look at the average lifespan on the standards and poor index, the standard important 500 index. What we see is that this disruptive change is quite illustrated in this graph and that the average lifespan of companies in that index has dropped dramatically. What this means is that new companies are being born even in established sectors and have rapid growth. I think the point would be to each board is that, if your company hasn’t already embraced internet technologies, quite possibly will have to do so in the future. By virtue of that, you are going to have to deal with the cyber security challenge.


My view is that when we come to risk it’s all about upside and downside and balancing the two. In terms of embracing internet technologies, we get a number of upside risks. The first is we have a lower barrier to entry to new markets because of the nature of the internet, the reach is not geographically limited. We also can produce a lower cost delivery model and we’ve seen this in many, many sectors. We can also get to know our customers much better because the internet allows us to track each touchpoint with a customer. Customer satisfaction and customer profiling become much easier.


It also helps to facilitate rapid product and service development. With the internet you can get product to market quickly. You can actually through the enhanced customer profiling feedback from your customers. Lastly, it really helps to boost employee productivity. There are all of the upsides to embracing the internet. Downside, we’ve got absence of attribution and issues with jurisdictions. It used to be that if a criminal element wanted to target us as a company, quite often they were in the same jurisdiction or in the same region where we were based. With the internet you can be attacked from the other side of the world. Many of these places that we see attacks originating from don’t have the same rule of law that we have here at the UK.


As we embrace the internet we are also more vulnerable to intentional disruption to our operations. Also there is an increased criminal value of your information assets. What we’ve sene and we’ll touch on it later in the slides is a serious rise in the involvement of serious and organized crime in the area of cyber security. It’s also easier for your competitors to steal, Charlie touched upon. If you are not safeguarding your board papers and the information contained within and your competitors can get access to that. That’s incredibly valuable information for them. We also have to deal with the insider threats. That thing of emailing the board papers to private email accounts and then those becoming compromised.


I’m just going to very quickly go through the basics of just a generic risk framework and then I’m going to move on to showing how the cyber risk framework is slightly different from this. I’m reaching into an international standard ISO 3100 which is a risk management framework but also you’ve got 27005 which contextualizes this into the area of information security. The definition of risk is the effect of uncertainty on objectives. When we talk about risk, we need to know which objectives these risks are attaching themselves to. likelihood, the chance of something happening. Consequences are impact, which could be interchangeable, that’s the outcome of an event affecting objectives, and control, a measure that is modifying risk. How much control do we have over our risks?


Lastly residual risk. This is the risk that’s left after we’ve actually treated the risk. I’m going to use these terms throughout the presentation. This is a graphic from that standard and really what it shows is that risk management is an iterative process. It’s not something that you just do one and then leave it on the shelf, it’s something that requires constant iteration to refine based on information that may come to light over time. When we talk about the impact of risks to our business, what I’m presenting here is a sliding scale of one to five. If we say a risk would have an impact of five. We would say that that is a pretty catastrophic risk. That’s something that board definitely would be interested in. All the way down to more localized risks, which may be, not appear at the board but which may need to be treated at lower levels of management.


The other aspect is likelihood. How likely is this risk to crystalize, to materialize? Again we got this on a slide scale of one to five. If we say something is a five, we expect it to happen in the immediate future, all the way down to a one which is something that would happen infrequently or very unfrequently. Lastly then, how much control do we have over that risk? Again it’s on a sliding scale of one to five, where five we believe that we’ve covered or mitigated the risk all the way down to one where we’ve got no control over the risk. Just very lastly in terms of a very quick review of a risk management framework. This gives us two lockup tables where we can plot impact versus likelihood to interest to generate the inherent risk.


Then we are plotting inherent risk against the control to give us residual risk. It’s the residual risk values that we’d be most interested in. Clearly if we’ve got a risk that’s been identified with a residual risk of five, that’s something absolutely that must be presented to the board. What I’ve shaded in in read are all risks that should be presented at a board. These are risks that carry a residual risk value of four or five, simply because these risks have the capacity to do great harm to the organization, therefore, from a governance point of view it’s something that the board needs to be aware of.


Now can we move on to touch on what’s different about cyber risk and why is it actually a difficult subject to grapple with? In my view, cyber risk assessments are all about intelligence. In some sense it’s characteristics of a military confrontation. You have information and assets that other people want and are quite willing to attack you to gain access to those assets. What we need to do is we need to understand what our assets are. Charlie talked about one very specific asset which is the board papers. There would be many other assets within your organization. This could be anything from customer information which may also be personal identifiable information, which is subjected to the DPA, the data protection act. It may be financial information, it may be intellectual property, it maybe research and development information.


We’ll touch more on identification of threats and vulnerabilities in this presentation. That’s the area I want to concentrate most on and then the identification of control. If we remember back to our risk management framework or controls, can we put in place or mitigate the risk of a cyber security incident?


The big one I like to focus well on is consequences. What’s going to happen when a threat is realized? When somebody steals our information, what are the consequences? Through the presentation we’ll look at, it depends on who is stealing the information, what the consequences might be, what is their motivation, what are they going to do with that information once they have stolen it?


Reaching back to the slides we had about the evolution of the internet, alongside that, what has evolved is the capabilities of the threat actors that you face or the people who would like to compromise either your system’s integrity, compromise your information, confidentiality and so on and so forth. If we go back to 1998, really we are talking about script kiddies, these were generally young people who wanted to prove their technical capabilities by hacking websites. Moving fast forward to 2015, we now have crime syndicates and we actually have nation states who are engaged in this type of activity. Their resourcing and their capabilities are so much higher than the lower level threat actually we might face in terms of script kiddies.


The capabilities of our adversaries have rapidly increased also we are much more dependent on internet technologies today than we ever have been. Those two things together produce a real serious issue that I call the cyber security challenge. This slide which is probably not too clear on the presentation comes from the ENISA threat landscape report. They produce this report every year. They are a European organization that bring intelligence together from nations, states, from certs and from industry and compile threat landscape report.


Here are the listing, the fifteen top threats. The red upper tracing arrow means that threat level is increasing. You can actually see to the right there, pretty much everything is red. What they are saying is that the threats that we face are growing as we go forward.


Another very useful report to look at is the IOCTA report form EUROPOL. Again, this comes out every year. This is the part of EUROPOL that is interested in how organized crime are using the internet? Really, what they point out is that within Europe and the UK, we are relatively wealthy compared to the nation states and the serious and organized crime groups that are operating outside of the EU. Ironically, because we are wholly connected, because we are wholly dependent on the internet, we are also a good target. If I’m going to commit a crime across the internet, I will look for countries, regions that are highly connected have embraced the internet technologies.


We also need to look at what’s the motivation behind these threats that we face. In terms of threat actors, I’m moving on to threats and vulnerabilities. In this slide which again is a slide taken from the ENISA threat report, what we see is we’ve got the threat actors that sit in the outer ring. What they are looking to do is to exploit vulnerabilities in your infrastructure, in your systems to gain access to your information assets. What you see then in the second ring there are your counter measures. What have you got in place to actually defeat these threat actors? As Charlie pointed out in his presentation when, if you were talking about board papers as an asset then, the solution will be an effective counter measure against that.


What you find is, with threat actors is that they, as would any sort of criminal enterprise, they would look for the weakest link. Where they find it difficult to defeat counter measures, unless there is a very specific target they are looking for, they will move on. I said it was all about intelligence, let’s focus on threat actors. We need to consider what motivation our threat actors what, what do they like, what are they looking to achieve through their actions? Is it monetary gain, is it competitive advantage or is to erode your brand, to embarrass you publicly? How the threat will manifest will be different depending on what it is the threat actors motivation is. What kind of opportunities do they have, how many ways can they look to achieve their objectives?


If your threat actor is an insider, then they are going to have a lot of opportunity to achieve their objectives. If they don’t have access to internal systems. Apologies, just some technical issues there with the microphone. In terms of resourcing, what level of access to resources do they have? Key things to think about there I how much financial backing have they got, how much time have they got, a time will afford more opportunity if I have a longer period of time to achieve my objectives, I get more opportunity. How much background intelligence can they gather on you?


Just before we started the session here today we were chatting here about LinkedIn. Quite often when we engage in social engineering activities we use LinkedIn to find out a huge amount about, not only the organization but people who work within the organization, where they worked previously and so on and so forth. A great benefit of LinkedIn is that it creates a public profile of your company, but again when we think about downside risk, you are exposing a lot more information about your company than you may realize.


Lastly capability, what level of sophistication do they have? If we go back to the switch where we see sort of, I suppose back in 1998, the level of sophistication was low, the level of sophistication of many serious and organized crimes as far as the Asian states was incredibly high. I’m going to give an example, that’s all the theory, I’d like to spend the last few minutes of the presentation showing how this would work in principle. I have to assume the threat actor is, I suppose reasonably implicit as opposed to famous hacking group called anonymous. This is a hacktivist group, it’s a collection of people who get together to engage in hacking activities for various, I suppose maybe philosophical or political reasons.


Motivation, if you come into the cross areas of anonymous, they are going to be motivated by public embarrassment and general brand damage. Opportunity, reasonably limited. It’s limited to public accessible systems and standard techniques such as fishing. Generally speaking, these people are not working inside your organization and they are not an insider threat. The resourcing is high because they have an access to a large network of individuals. They are spread across the globe but it’s a large group and their capability is high because they very technically proficient.


Using our reiterated threat actor, this is how we rate it as a threat actor anonymous. Let’s say we’ve got a corporate objective to launch a new service in the new sector with, we want to achieve 20% market share within the next twenty four months. That is a stated goal, it’s probably been discussed at the board, the market campaign has been put together. A lot of thought, effort, energy has gone into this. A risk we could attach to that objective is if there is any adverse publicity in that period, that twenty four month period, that would affect service take up, due to a lack of customer trust.


If we are in the paper for the wrong reasons, basically the marketing spin that we are making will be blunted and we probably won’t achieve our 20% market share. What is a threat? The threat is a data breach by hackers who probably disclose the sensitive customer data for the purposes of damaging the corporate brand. This is the threat. We are going to suffer a data breach and the people who’ll still our data are going to publically disclose this.


Onto the vulnerability, poorly managed IT systems that are vulnerable to known exploits. We’ve got our IT systems hosting all of this information but we haven’t been managing them in the way that we should. What are the controls? One of the controls is that we should have regular IT system patching. We should be actually patching those systems against these known exploits, so the threat actors can’t actually execute their threat if we remember back to the counter measure slide showing the threat actors. We reach back to our look up tables. We haven’t heard some residual risk this with the lookup tables.


If we were to construct a risk register, which we were going to present to the board, how would this now look? This is the end result of the risk management and risk assessment phase and this is what will be presented to a board. As we’ve stated the risk is adverse publicity that will affect the service take up. Using my lookup tables, what I’ve said is the inherent risk is medium. The impact would be three and the likelihood would be three. What I’m saying is that the residual risk is medium. The reason for this is that we feel that the IT controls that we should have in place are not there. Therefore, the inherent and residual risks are the same.


What should the risk mitigation be? Improve the IT controls to reduce the likelihood. If we go and patch those systems, we make it harder for the threat actors to penetrate our systems and gain access to the information. What are the loss events? We are going to fail to achieve the stated growth targets. That’s the first significant impact. Also there is other associated loss events. Because this is personal identifiable information, we are going to have some kind of regulatory find from the ICO. We are also going to have longer lasting brand damage. It won’t be just limited to this one specific objective but actually we will suffer brand damage. If you think about any company’s investment in their brand and how much they spend investing in their brand. You can actually take 8% and say, “This is how much we’ve lost.”


The next steps. What I presented there is I suppose at a very high level, looks complicated. It looks like it’s quite a bit of work but my advice would be to start simple and to iterate. Don’t try and boil the ocean. First of all, establish a corporate risk framework if you don’t have one. The risk framework I presented, you can get it from ISO 31000, and that will help you establish a corporate risk framework to coach all risk, not just cyber risks. If you do have one, create a new category for cyber risks.


Start with a simple table top risk assessment. Think about the things that could go wrong from a cyber point of view and link them to your objectives. You don’t need to do the deep dive straightaway, just build a risk register, use your industry knowledge or knowledge of the business to actually rate the risks in a very subjective way, because you can refine your intelligence over time. identify your key assets. This is something that we see time and time again is that most organizations don’t actually understand what their key assets are with respect to information. Execute the control assessments. Go and look at your IT systems, go and look at … There is plenty of cyber standards out there from cyber essentials, all the way up to pass 5555 and ISO 27005. Understand the current state of your controls.


Then the next evolution would be to start building threat intelligence. Acquire an ability to assess threat landscape. What that means is, being able to identify who is attacking you, try and identify why they are attacking you and try to identify how they are attacking, what kind of vulnerabilities are they looking to exploit? That’s my presentation, thank you.


Julie: It’s been very helpful I think. That’s given a lot of people things to think about. I’m going to move on to a couple of questions now. while I’m asking these questions, if any of you got other questions you want to ask or if you’d like to ask something linked to what I’m already saying, then please just type in the box and we’ll get those questions out there. First of all, I think I’d like just to ask Charlie, can I just ask a general question of, how would you recommend we educate our directors on these quick security fixes, how do we get them to focus on it and get it on the board agenda to uphold it?


Charlie: I’ve been asked this question quite a few times. It’s a bit like as I said going to the dentist. I have a couple of teenage girls, so it’s a subject that I have to bring up with them every few months. You need to have your teeth checked. I think honestly it’s the function of professionals in organizations to consider what can you go wrong? Part of what can go wrong is the security breaches we are talking about today and I think it should be a specific agenda item on a regular basis. Let’s say, once a year or twice a year, there should be a specific agenda item of risks to the business. There should be a paper presented to the board that considers what is in front of them, what they should be thinking about and possibly the actions they should be taking.


It’s my opinion that the company secretary of organizations is the most appropriate person to drive that agenda item. You put it on the agenda. You seek the professional help of your organization to provide the paper or you go to external parties such as Conor for them to do an assessment of your organization, to inform and educate the board. If in the end they choose to do nothing about it, that is their business. I think it is the business of the company secretary to inform, educate and provoke the question.


Julie: Thank you, we’ve got a question from Alice here who is asking, sorry I have lost it, how can a company its directors get comfort on cyber security if it relies on third party service providers and not its own employees? The kind of company she has given example of an investment trust, which clearly doesn’t have any executives or anything inside. In that sort of scenario, how would suggest they get comfort, Conor, can I ask you?


Conor: Yeah, that’s an excellent question Alice. This is something that we’ve seen in the industry as a growing need because most companies are actually outsourcing, far more than they ever did, specifically when it comes to information outsourcing. I think that’s particularly true in the financial services sector. My advice would be first of all to look at your contracts. The contracts you hold with the third parties. Ensure in the contract you’ve got the right to audit. That would be the first thing, make sure that’s always part of your Ts and Cs.


Once you’ve got the right to audit, generally I would advise to start with a questionnaire. There is many good examples out there to gauge a level of cyber security maturity of your third parties. If off the bucket of the questionnaire you become concerned, through the right to audit then you can actually get a third party company to go and do a cyber risk assessment and present those results back to you.


I suppose if we reach back to the legal part of the contract, having the right to terminate if you feel uncomfortable with the cyber security maturity of the third party. I think that’s a key thing that we’ve seen change over the last sort of five years, except this is now becoming a standard contract. I think it goes back to that upside downside. There is great upside to being able to be agile and have lower numbers of employees by outsourcing. The downside is you’ve got this due diligence work that you need to do.


Julie: Thanks, that’s great. I think we’ve got a couple of more questions coming but in the meantime, can I just ask Charlie again, you talked about directors being out of their comfort zone with this kind of topic. I guess part of that comes from the fact that most company directors were a little bit older, IT is not something they are terribly, they haven’t grown up with it, to put it that way. How can we help them get comfortable, do you think considered, having somebody there regularly who can explain this to them in ways they can understand? What would you suggest?


Charlie: I think the problem is actually one step removed even from that Julie which is that I have yet to meet a company director, whose previous role was as a CIO or a CTO of a business. You get people who’ve come up the sales root or the finance root or the marketing route who end up as company directors. They don’t really go up the technology information route, unless it’s a specified special technology company that we are talking about. If you look at the general composition of a board, they’ve got finance skills and sales skills and HR skills. The starting point is a lack of knowledge in their executive role. However, it’s also my strong belief that the art of management is not unknowingly answer and it’s in asking the question.


What a manager should do, of every organization, whether it’s a middle manager, a senior manager or in this case a board director is ask complicated questions, get a response and be able to understand it. In this case the question is, do we have cyber security threats? The response is an audit, it’s a paper, it’s someone coming to speak to them. Then looking at the matrix that we’ve just seen from Conor. How deep is this, how likely is it to happen, what is the potential cost out of it?


If it’s a bad answer you do something about it. If it’s a problem, you fix it. If the answer comes back, actually the level of threat is minimal, the risk is low, the cost is not high, then that’s just fine. The reality is likely to be that. It’s going to be worse.


Julie: Conor, would you like to comment on that?


Charlie: Yes, just one thing I’ve noticed through the institute of directors is that there is a heavy emphasis now on many boards trying to recruit people onto the board in non-exec roles that have that cyber experience and can actually ask the right questions. The second thing we’ve noticed is that with the exec directors, generally speaking, at least one of them has been nominated as being accountable for a cyber security. What we are saying is that that accountability, and that need to actually, through the say, risk committee to present cyber risks, coupled with having a knowledgeable non-exec really gets to the heart of cyber security issues.


It doesn’t mean that they go away, it just means that you actually have an awareness of what might likely to be, what’s likely to happen and how should you react. I go back to something that’s got nothing to do with cyber security but the horse meat scandal put one company out of business, that was Findus. The reason for those, a week after the horse meat scandal had broken, they still had on their websites that one of their core values is that they only use the best quality ingredients. They just lost all of their customer trust, nobody wants to buy their product anymore because nobody trusted them. It’s true in the cyber security world, you lose people to personal information. They will lose trust in you.


Charlie: My guess is the board of Volkswagen wish they had a security assessment person sitting there beside them. My guess is that someone in Germany right now is being, is very unhappy, lots of people in Germany are very unhappy because they didn’t have someone to specifically ask complicated questions that might have provoked the answer, yes, we’ve got software that is defeating these emission tests. It’s not a cyber security but it is a threat. It’s aspects like that that companies should all consider.


Julie: Looking the state of why we are dealing like that and getting out. Do you recommend then, putting together some sort of cyber security committee, that can maybe report to the audit and risk committee? Is there someone at the executive level who really understands those issues and looks into it, is that the way you think we should go Charlie?


Charlie: Honestly, I don’t think it fits under the audit committee. The audit committee has a finance role. The finance role is to assess whether the audit and the financial figures that are being published to third parties are true and fair. That is their role. Their role is not to assess whether there is a cyber threat. I think a board should have an explicit agenda item on a periodic basis of external threats, full stop.


Julie: Conor, did you want to comment on that too?


Conor: Yeah, I think one of the things I’ve noticed is, it kind of goes back to my slide about how embedded we are with the internet and how systemically important it is to our economy, to our enterprises. I’m really, the clocks of it is that we are entering an age now where cyber security issues can produce an impact that is similar to a financial, an operational or health and safety risk.


If we look at transport, we look in aviation, we look at the train industries. They are heavily embracing technology to manage everything from airplanes landing at airports to trains travelling on railways. Clearly, cyber security issues can induce a health and safety issues in terms of sort of lives lost in those areas if it goes wrong. What I see is that, if you go back ten years ago, the risk committee that were reporting to the board, wouldn’t have considered information security risks to generate high enough an impact to be worthy of a discussion at the board. I think that’s changed now.


Information or cyber security risks can induce an impact that will significantly damage the company. As for that reason, they just need to be included as part of the normal risk management framework reported through risk committees in a normal way. I think what boards need, the challenge is what boards need to do is become more fluent in cyber security, clearly to sit on the board as Charlie said, you’ll understand sales, you’ll understand finance, you’ll understand marketing, you’ll understand health and safety. They just need to add another string to the bow which is information of cyber.


Julie: You don’t think the government could scheme and bring on their emphasis on cyber security, you think this is really important that people do get on top of this?


Conor: Absolutely. I think from the government point of view, what they want is they want the UK to be seen globally as the best place to do business when it comes to cyber or the internet. For that to happen, they need to have this awareness within the UK. That’s already having traction. The UK was first head at the blocks with its cyber security strategy at a national level. It was the first country to put its national risk register. Already the UK is seen as a place of excellence for this. Given the growth in cyber security as an industry which will grow to about six billion next year, that’d be very good for the UK, top in our slice. That rests with all of the large enterprises within the UK that at board level will have these conversations.


Julie: That seems very true. Just changing very slightly, can I ask you Conor for a little more detail on one of your slides, you talked about the different, you had the slide where different people who were threats and right at the top of that we mentioned mistakes. I think some people might be a little surprised at why nation, states are up there. Are they targeting individual companies, are they targeting governments, is this something that boards should be focusing or is this a government issue?


Conor: No, very definitely, it’s something that boards should be considering. It very much depends on what industry you are in. The government have created the center for the protection of, critical infrastructure, if you are deemed to be in the area of CNI, critical national infrastructure and that startles energy, it startles transport, it startles aviation, all of those types of areas. If you provide something that, if it’s disrupted could negatively affect the economy of the UK.


Then yes, nation, states will probably be interested in infiltrating your systems, understanding what you are doing. The other thing that we’ve noticed is that for example geopolitically and the construction industry in South East Asia, companies bidding from the west, from the US and from Europe, bidding for very large contracts, saw a sharp drop off in their success rates in securing those contracts.


When they went and looked why that was happening was, they realized the competitors had access to their information. They knew what they were bidding and they were able to underbid them. If, it just depends geopolitically, who you see as being your adversaries. It’s definitely not just a government issue. It’s definitely, if you are a large enterprise particularly a global enterprise bidding for contracts all across the globe, there are going to be competitors in all the jurisdictions that won’t be hesitant to use these methods to gain a combative advantage.


Julie: They, as you related to in your presentation, they all very well resulted to do this?


Conor: Yes.


Julie: It’s probably another aspect that doesn’t, immediately springs upon, you have hacktivist, people that are sort of, everybody thinks about but maybe that’s something companies need to factor in as well, whether there are risks in that and focus on that. I’m not sure we have any more questions coming through right one. We got one more, what’s the biggest easy thing a business can do reduce the cyber risks? That’s from Mike, thank you Mike. I’ll leave, yes Conor.


Conor: I would say go and look at cyber essentials. It’s a government backed initiative giving you very clear guidelines as to what you can do to implement what I would call just basic cyber hygiene. That will actually protect you against pretty much most of the obvious threats such as fishing, phishing attacks, malware and those types of threats that are, I suppose perpetrated by the lower levels of sophistication within the threat actor analysis. Essentially yes, it’s got five sections in it. Each section contains a discreet number of things that you can do.


What you can do is sort use it as a questionnaire almost. If you go through cyber essentials you ask, do we do this? If the answer to many of the questions is no, then actually you’ve quite a bit of work to do just to reach basic hygiene. It can act in two ways. There is a growing number of companies that can assess you and accredit you to cyber essentials. One interesting point is part of the government strategy is that if you supply product or services into government you now need to be cyber essentials to continue to tender for that business.


Julie: It’s very useful, thank you. thank you very much for your time today. It’s been really interesting and really useful. Thank you all for joining. Just to remind you that this was recorded and the link to that will be sent out to you. Many thanks for attending this webinar today. Thank you.