The past couple of years have provided ample evidence of how serious the consequences of a hacker attack can be for a company. TalkTalk recently said the cyber attack it suffered in October 2015 cost it £60 million and lost it over 100,000 customers.
No CEO would want their tenure at a firm being defined by a hacker attack, so what can an incoming business leader do to ensure that a company’s data-security systems are up to the job?
I did a quick Twitter poll to find out what people thought a new CEO (or any other senior business leader) should do.
In my poll I gave people four options:
- ask the company’s Chief Information Officer (CIO)
- ask to see the company’s ISO 27001 certificate
- hire a penetration tester, otherwise known as a white hat hacker
- don’t ask at all, as it isn’t your responsibility to know about your IT system
It was a straw opinion poll, not a scientific survey, but the responses had the ring of truth to me. The most popular response by far, at 44%, was to ask the company’s Chief Information Officer (CIO) to vouch for the system’s integrity. The next most popular option, at 25%, was to ask to see the company’s ISO 27001 certificate. Third, with 19%, was to hire a friendly hacker, while 12% said the CEO simply shouldn’t bother to find out.
Ask the CIO
Asking the CIO for assurances of the strength of the firm’s IT security is obviously a first and commonsense option, but it raises the question: would the CIO truly know how safe the systems are? They should know, I fully agree, but the only way to really know how strong the IT security is, is to stress-test the systems.
A recent report showed that there is a generation gap between young and old IT decision makers. The younger IT managers (under 45) are in tune with the problem, and many are actively testing their own systems by hacking into them, whereas barely more than one in ten of the older IT managers are doing so as revealed in a survey by security and data risk management company Absolute.
But if the CIO either isn’t sure of the strength of the company’s systems, or is aware of potential flaws in those systems, will he or she admit as much to the new boss? I then asked some of those who I knew had participated in the Twitter poll whether those who would ask the CIO would definitely believe the CIO’s assurances: over half of respondents said they probably wouldn’t, without further corroboration.
Ask if the firm is certified
There is obvious sense in asking if the company is ISO 27001 certified. It is, after all, the family of standards aimed at keeping information secure. But, it’s important not to put too much blind faith in an ISO certificate. It shows that a company has thought about the risk and devised a procedure to mitigate that risk, but it doesn’t guarantee those procedures are followed in everyday life. A third of IT managers admitted in the Absolute survey that not all security procedures are being followed. If I were an incoming business leader then I would want to know when the certificate was issued, as well as how long ago the procedures had been audited and stress-tested.
I see an online self-assessment is available as part of the Government’s Cyber Essentials initiative.
I applaud this as a first step for those who are only starting to get their systems secure and who then decide to gain a Cyber Essentials certificate. But this is probably the hottest business issue in the coming years, and I’m sure that businesses’ IT security will become a key criteria in awarding contracts. If I were deciding which company to do business with, a self-assessment certificate would show me that your firm is nothing more than an eager amateur when it comes to cyber security.
Hire your own ‘white hat hacker’
This, in my opinion, is what every new CEO should do when joining a company. ‘Hacker’ has become a much-maligned term in recent years, but there are many who break into firms’ IT systems with the right motives – and at the firms’ request.
The penetration tester – as a white hat hacker is otherwise known – will offer an independent assessment of the strength of a business’s systems; if there are weaknesses, the tester should identify them and explain to the company how to address them. I think it’s the only way a CEO can be reasonably sure of the firm’s IT systems integrity and security. I say reasonably, because no system will ever be totally secure. Your task is to make it as hard as you possibly can for hackers to break into yours.
Barclays has a team of its own hackers to test its own systems on the basis that to beat the hackers you have to act and think like them. I totally agree, and in fact, I have a guy who can do a ‘quick and dirty’ assessment of a firm’s IT security for me. Most of the time, he finds open doors in the systems he penetrated – without going through them.
I think there are still too many CEOs who take it for granted that their firms’ IT systems are secure, and who don’t bother to get an expert to test whether this assumption is correct.
I’m sure there are still many small business owners who will read this and think: so what? They still cling to the idea that they are too small to attract hackers’ attention. But according to the government, a third of UK SMEs suffered a cyber attack from someone outside their business in 2014.
Also, as I’ve pointed out in my previous columns, hackers will try to break into big companies’ through their smaller suppliers’ insecure systems – you don’t want to be the weak link in that supply chain. Meanwhile, the Internet of Things (#IoT) is not only making systems more interconnected, they become more vulnerable with every device that is added to that network. Black Hat Hackers have reportedly increased their scans for vulnerabilities by more than 450% since the rise of #IoT.
So, the next time a telecoms giant or big retailer group makes the headline for being hacked you could ask: ‘How did they let that happen?’ But then your next question should be: ‘Have I done enough to prevent it happening to my firm?’
The views, opinions and positions expressed within a guest post are those of the author and do not represent those of Hiscox or its employees. The accuracy, completeness and validity of any statement made within a guest blog are not guaranteed and we accept no liability for any errors, omissions or representations or any liability regarding infringement of intellectual property rights.