The National Cyber Security Centre held its flagship event, CyberUK, on 24-25 April. IT experts and business leaders discuss how best to protect corporate systems and data
CIARAN MARTIN (pictured, above) is CEO of the National Cyber Security Centre (NCSC), the government body that helps public- and private-sector organisations to safeguard their IT systems
As recently as five years ago, the advice that western governments were giving businesses on cyber security was technically limited. What’s more, much of this guidance focused on telling well-governed organisations to manage risk well. What it didn’t really tell them was to approach cyber risk in just the same way as they would any other risk.
I marvel at the effectiveness with which businesses deal with the complex array of risks facing them, from financial liabilities to health and safety responsibilities. When you put it in that context, cyber risk is something they are also well capable of managing. It’s simply a case of giving them the right tools for the task.
With this in mind, the NCSC has published a Board Toolkit to help directors understand the dynamics of cyber risk management. This sets out five questions that all boards should ask their chief information security officers:
* How do we defend against phishing attacks?
* How do we control the use of privileged IT accounts?
* How do we keep our systems up to date?
* How do we ensure that our partners and suppliers protect the data we share with them?
* What authentication methods are being used to control access to our data?
The NCSC has in fact observed more consistency than change in the types of cyber attacks that should be of concern to ordinary businesses. At a recent government event for 60 business leaders, we analysed a global assault on IT service providers and their clients that had been attributed to the Chinese state. This was a profound attack, but the Japanese authorities believe that one of its entry methods was the Melissa virus, which dates all the way back to 1999.
This case highlights the critical importance of keeping your software up to date. Any modern version of Microsoft Windows would have blocked this virus. If you had been running an old version and been targeted, you might not have been so fortunate.
ANNE DUNCAN, chair, digital and technology leadership initiative, IoD France executive committee
The number-one point to make about cyber security is that it’s not the preserve of the IT department or a particular individual in your organisation. It’s everybody’s business.
At the IoD we have a strong focus on training our members in effective corporate governance, which is extremely important. Cyber security and data privacy have become matters of governance – directors are now responsible for these issues and for how their management feeds down through the organisation.
As part of the digital and technology leadership initiative I run for IoD France, we invite business leaders to discuss issues of cyber security. These forums operate under Chatham House rules, so participants can say “this is what happened in my company” safe in the knowledge that their identity and that of their organisation will not be disclosed.
There are still certain details you wouldn’t want to share, of course, but the forum enables important conversations to start. Because you are surrounded by experts at these events, you can also improve your knowledge, which will equip you better to make key improvements when you return to your organisation.
CODY BROCIOUS, security researcher and head of hacker education, HackerOne
White-hat hackers are folk who hack in an ethical way, generally at the behest of firms wishing to protect themselves. Bug bounty hunters are white-hat hackers who specialise in finding vulnerabilities in an effort to make the internet a more secure place while developing their own skills and, possibly, earning money.
My firm, HackerOne, helps to improve companies’ cyber security in three ways. We work with them to manage vulnerability disclosure programmes, where hackers and security researchers can report bugs without fear of any legal repercussions. We run bug bounty challenges that pay hackers to find and report vulnerabilities. And we hold courses that help both hackers to hone their skills and developers to secure their code.
All of these efforts improve cyber security for our corporate partners and also for firms that we don’t work with directly.
Password reuse is a huge risk, but one of the easiest to solve. My advice to anyone running a small business is to use a password manager with a long passphrase and apply a different, randomly generated, password for every website.
ANDY TILLMAN, director of intelligence, Tillmana Group
GDPR has probably either forced smaller businesses to push cyber security higher up their agendas than ever before or made them bury their heads deeper in the sand. Yes, there is now a requirement to report a breach, but I think this will still come down to an assessment of the pros and cons of doing so.
Smaller businesses are often treated as poor relations, especially when it comes to cyber security. The services available to them in this field aren’t as good as they should be. In fact, SMEs ought to be offered a certain level of free assistance – it’s a question of whether we want a utopian society where large businesses help smaller firms and so protect their supply chains.
Whenever I do a talk on “compromise by coercion”, which is a fancy way of saying “blackmail”, I highlight how easy it is to identify and profile key individuals in a company. This always shocks business leaders in the audience. You need to understand that such threats exist, but also remember that the world is not as scary as some people make out.
Andrew Tillman is an education and skills ambassador for IoD Suffolk
PETER MATTHEWS, chief executive, Metro Communications
There are lots of people who play on the fear that exists about being hacked. They say to businesses: “Hackers will break into your systems, steal your data and sell it on the black market, so you need to buy this product of ours.” We need to shift that narrative.
People say that tech moves quickly, but human error is still the easiest way for someone to infiltrate your systems. You have to be aware that many cyber criminals focus on social engineering. They can find enough information about you on social media to enable them to send an email that looks credible enough for you to open. Online, I tend to deal only with people whom I already know.
If you do one thing tomorrow, I recommend that you visit the NCSC’s website and download 10 Steps to Cyber Security. You don’t need to buy anything and there doesn’t have to be a huge plan. It’s simply about applying common sense. If you take the basic precautions, you’ll start to put some clear water between your firm and the cyber criminals.
Peter Matthews is a member of IoD London